On Wednesday, 19 October 2022 20:05:03 CEST Konrad Windszus wrote:
> Hi,

Hi,

> There are lots of vulnerabilities reported which do not affect our usage of
> dependencies. Therefore I am still in favour of putting the responsibility
> towards those who build applications/distributions out of Sling bundles.
> For Sling Starter this is obviously us.
> 
> I would recommend to introduce some automated means (apart from dependabot)
> to check for vulnerabilities on all Maven projects which are not OSGi
> bundles. Something like
> https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
> <https://jeremylong.github.io/DependencyCheck/dependency-check-maven/>
> works for that use case.,
> 
> A new policy for not depending on vulnerable dependencies will put a lot of
> pressure on us, to release bundles way more often than we currently do (for
> no functional benefit).
> 
> However, what is documented at
> https://cwiki.apache.org/confluence/display/SLING/Dependabot probably needs
> to be documented on our web site for consumers as well, so that the
> expectations can be managed.

+1 to everything above

In addition there are dependencies with older versions not vulnerable.  
Depending on the lowest possible version gives us more flexibility.

Regards,
O.

> Regards,
> Konrad
> 
> > On 19. Oct 2022, at 17:28, Carsten Ziegeler <cziege...@apache.org> wrote:
> > 
> > Hi,
> > 
> > in light of https://issues.apache.org/jira/browse/SLING-11623 I think its
> > worth to have a hopefully brief discussion about our dependency update
> > policy.
> > 
> > https://cwiki.apache.org/confluence/display/SLING/Dependabot captures what
> > we said in the past and I think this is a good guideline, keeping the
> > dependency at the lowest required.
> > 
> > However :) with security issues in dependencies like the above, we leave
> > all the responsibility on our users. Clearly, we don't want any of our
> > users to run with known security issues, so if we update our dependencies
> > to versions without known issues, we help our customers as they have to
> > update the dependencies as well. It makes the world a little bit safer
> > and avoids all these continuous scanning reports.
> > 
> > I'm currently torn between the two, slightly prefering to update
> > dependencies in case of security issues.
> > 
> > Regards
> > Carsten




Reply via email to