Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable dependency update scanning #83

Closed
relud opened this issue Sep 17, 2018 · 12 comments
Closed

Enable dependency update scanning #83

relud opened this issue Sep 17, 2018 · 12 comments
Assignees
@jklukas
Labels
enhancement New feature or request

Comments

@relud
Copy link
Contributor

relud commented Sep 17, 2018

Per https://github.com/mozilla-services/foxsec/blob/master/README.mediawiki#Security_Checklist

  • enable security scanning of 3rd-party libraries and dependencies
    • ...
    • For Python, enable pyup security updates:
      • Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
      • Enable branch protection for master and other development branches. Make sure the approved-mozilla-pyup-configuration team CANNOT push to those branches.
      • From the "add a team" dropdown for your repo /settings page
        • Add the "Approved Mozilla PyUp Configuration" team for your github org (e.g. for mozilla and mozilla-services)
        • Grant it write permission so it can make pull requests
      • notify secops@mozilla.com to enable the integration in pyup
@relud relud mentioned this issue Sep 17, 2018
Merged
@relud
Copy link
Contributor Author

relud commented Sep 17, 2018

@whd @jklukas do you have opinions on whether this should be security updates or all updates?

@jklukas
Copy link
Contributor

jklukas commented Sep 17, 2018

If CI is expected to fully exercise the code, then we should be able to take all updates with confidence.

@pdehaan
Copy link
Collaborator

pdehaan commented Sep 17, 2018

@jvehent: Re: https://github.com/mozilla-services/foxsec/blob/master/README.mediawiki#Security_Checklist, do we have documentation somewhere on Java specific best practices/tools?

@jvehent
Copy link

jvehent commented Sep 17, 2018

I'm not a java guy, but I think OWASP's dependency check might be useful. @psiinon maybe have tips too.

@psiinon
Copy link

psiinon commented Sep 20, 2018

For ZAP we use:

Just give me a shout if you'd like any advice and guidance...

@relud relud added good first issue Good for newcomers bug Something isn't working labels Oct 15, 2018
@jklukas jklukas removed the good first issue Good for newcomers label Oct 16, 2018
@relud relud added enhancement New feature or request and removed bug Something isn't working labels Oct 22, 2018
@jklukas
Copy link
Contributor

jklukas commented Nov 12, 2018

@jezdez has good things to say about https://dependabot.com/

@jklukas
Copy link
Contributor

jklukas commented Nov 12, 2018

Dependabot also supports Maven (in beta), so I'm going to investigate them a bit more.

@jezdez
Copy link

jezdez commented Nov 13, 2018

Yep, I found it nicer than pyup and renovate.

@jezdez
Copy link

jezdez commented Nov 13, 2018

Also it was recommended by foxsec people (@jvehent et al).

@jklukas
Copy link
Contributor

jklukas commented Nov 13, 2018

Enabling dependabot requires an admin for the GitHub org, so filed https://bugzilla.mozilla.org/show_bug.cgi?id=1506836

@jklukas jklukas self-assigned this Nov 13, 2018
@jklukas
Copy link
Contributor

jklukas commented Nov 13, 2018

Access for dependabot is granted and I just did an initial setup. It's analyzing right now.

@jklukas jklukas changed the title Enable pyup on ingestion-edge Enable dependency update scanning Nov 13, 2018
@jklukas
Copy link
Contributor

jklukas commented Nov 13, 2018

This is now running and dependabot issued ~8 PRs across both the python and Java bits of the codebase here. It also looks like it detects when a rebase is needed due to master changing, and it automatically updates its PR. I am impressed.

@jklukas jklukas closed this as completed Nov 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jklukas jklukas

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jezdez @jvehent @relud @pdehaan @jklukas @psiinon