> Thank you for clarifying. So if I understand correctly, Renovatebot > polls Dependabot alerts for new vulnerable dependencies, and when it > finds one it creates a PR. That PR would then serve as the entry point > for handling vulnerabilities in Solr.
I think that is accurate. > Would it be possible to add metadata to such PRs? For example, using the > `commitBody` template: I see a commitMessageSuffix config option for vulnerability PRs. Otherwise, renovate can run a custom command for each PR, where we could hook in more logic. And PRs will be labeled with "security", so a new solrSecurityBot could run periodically to scan for new security PRs and do stuff. > I was thinking about proposing a workflow like this that could be > triggered by the Renovatebot PR: > > 1. Open a JIRA issue to track handling of the vulnerability. We could also just keep it simpile and handle the vulnerability in the PR itself. Our project has made it optional to have a JIRA for everything, and if it does not add some concrete benefit over what the PR already brings, let's not do it. > Because Solr relies on Hadoop’s shaded artifacts, Solr’s security > depends on Hadoop promptly releasing updates whenever a shaded > dependency is vulnerable. That’s why I think it’s useful to design a > workflow compatible with Hadoop’s build tools (Maven/Dependabot), while > also aligning with similar efforts in Commons and Logging. Our hdfs and badoop-auth modules are removed from v10 so I don't think we need to make design choices based on those specifically. Jan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org
