Hi,
I was wondering how Dependabot works with Gradle, here is the answer
https://dev.to/cricketsamya/gradle-with-dependabot-1o47
So I'll try it tomorrow
Jacques
Le 05/04/2022 à 14:11, Jacques Le Roux a écrit :
At least we can try and see how easy it is to apply those Dependabot PRs, or be
inspired by them.
I trust we should be faster than any pen tester to fix issues (if possible,
dependencies can be complicated).
Le 05/04/2022 à 14:06, Jacques Le Roux a écrit :
On the other hand we can simply neglect Dependabot and update when we
see/"feel" it's needed.
But that's not a much secure way. Having Dependabot running for us would have
prevented 2 current CVEs pending...
Jacques
Le 05/04/2022 à 14:02, Jacques Le Roux a écrit :
Hi Michael,
Jarek clarified for us. I'll carefully read the GH link, but that sounds pretty
safe.
Jacques
-------- Message transféré --------
Sujet : Re: [NOTICE] Dependabot Updates enabled for all projects
Date : Tue, 5 Apr 2022 13:37:06 +0200
De : Jarek Potiuk <ja...@potiuk.com>
Pour : Jacques Le Roux <jacques.le.r...@les7arts.com>
Copie à : us...@infra.apache.org
Dependabot only creates PRs for the public vulnerabilities of your
dependencies (not your own code). This is purely about keeping your
supply-chain secure.
This feature does not change the regular handling of security reports
we get via security@a.o as far as I understand.
You can read more here:
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
J.
On Tue, Apr 5, 2022 at 1:25 PM Jacques Le Roux
<jacques.le.r...@les7arts.com> wrote:
Hi Jarek,
OK, but what about the others, those not public? I guess we can send them to
our (private) security ML?
TIA
Jacques
Le 05/04/2022 à 11:07, Jarek Potiuk a écrit :
Yes. But those are only for security vulnerabilities that are already
Public. So trying to "not" showing them is securiy-by-obscurity.
J.
On Tue, Apr 5, 2022 at 11:01 AM Jacques Le Roux
<jacques.le.r...@les7arts.com> wrote:
Hi Chris,
Can these PRs be seen by everybody?
Thanks
Jacques
Le 05/04/2022 à 06:30, Chris Lambertus a écrit :
Hi folks,
Infra is pleased to announce that GitHub’s Dependabot service has been approved for use by ASF Legal and Infra, and is now enabled for all
repos. Dependabot will create PRs in your repo with recommended security updates for your project. It is entirely up to the project to accept
or reject these PRs.
Dependabot Alerts can also be configured per-project, but currently the notifications go to Org Admins only. If your project wishes to receive
Dependabot Alerts via email, please open an Infra Jira ticket so that we can add your committer team to the alerts.
-Chris
ASF Infra
