Hi all, I’d like to provide some context and follow-up regarding the PR I recently opened to add a weekly CVE vulnerability check workflow to Apache Ratis:
https://github.com/apache/ratis/pull/1328 The goal of this change is to introduce a lightweight, periodic CVE scan (similar to IoTDB’s approach) so that we can continuously monitor dependency vulnerabilities and better manage our SBOM-related security risk. At the moment, although the required secrets have already been configured on the Ratis side, the workflow cannot be triggered in the main repository until the PR is merged into master. To validate the workflow behavior end-to-end, I pushed the same changes to the master branch of my personal fork and triggered the action there. Workflow run result (from my fork): https://github.com/OneSizeFitsQuorum/ratis/actions/runs/20201379460 Current scan result: no known CVE issues detected on the branch at this time: https://github.com/OneSizeFitsQuorum/ratis/commits/master/ The result is consistent with expectations and confirms that the workflow works as intended. * With this weekly scanning mechanism in place, we would be able to: * Regularly detect newly disclosed CVEs affecting our dependencies * Proactively assess SBOM-related security risks Decide in a timely manner whether to upgrade or adjust third-party dependencies when issues are found I’d appreciate feedback from the community on this approach, and whether there are any concerns or suggestions before moving forward with merging the PR. Thanks for your time and review. Best regards, Xinyu
