asf-tooling opened a new issue, #1102: URL: https://github.com/apache/tooling-trusted-releases/issues/1102
**ASVS Level(s):** [L1] **Description:** ### Summary The application enforces a 30-day maximum dependency age through code (`_MAX_AGE_DAYS=30` in `scripts/check_when_dependencies_updated.py`) with pre-commit enforcement, but this policy is not documented in application documentation as required by ASVS 15.1.1. New team members must read code to understand the policy, and the pre-commit hook incorrectly references 'ASVS 15.2.1' instead of '15.1.1'. There is no documented rationale for the 30-day value. ### Details **Current enforcement mechanism:** - Script reads `exclude-newer` timestamp from `uv.lock` - Fails build if dependencies exceed 30 days old - Verified on every commit via pre-commit hook **Issues identified:** 1. Policy exists only in code (`scripts/check_when_dependencies_updated.py`, lines 30-31) 2. No documented rationale for 30-day value 3. Pre-commit hook description references wrong ASVS section (`.pre-commit-config.yaml`, lines 148-153) 4. No centralized policy document for team reference ASVS 15.1.1 requires dependency management policies to be defined in application documentation, not just enforced in code. **Affected files:** - `scripts/check_when_dependencies_updated.py`, lines 30-31 - `.pre-commit-config.yaml`, lines 148-153 ### Recommended Remediation 1. **Create policy documentation:** Add documented reference in `SECURITY.md` or `docs/dependency-remediation-policy.md`: ```markdown ## Dependency Update Policy ### General Library Updates (ASVS 15.1.1) - **Maximum age:** 30 days - **Rationale:** Balance between stability and security freshness - **Enforcement:** Automated pre-commit hook checks `exclude-newer` timestamp - **Verification:** Every commit triggers dependency age validation ``` 2. **Fix ASVS reference:** Correct `.pre-commit-config.yaml` line 150 from 'ASVS 15.2.1' to 'ASVS 15.1.1' 3. **Add code comments:** Reference policy document in `scripts/check_when_dependencies_updated.py`: ```python # Enforces 30-day maximum dependency age per dependency-remediation-policy.md _MAX_AGE_DAYS = 30 ``` **Estimated effort:** ~1 hour ### Acceptance Criteria - [ ] Policy document created in `SECURITY.md` or `docs/dependency-remediation-policy.md` - [ ] Document explains 30-day value and rationale - [ ] Document describes enforcement mechanism - [ ] ASVS reference corrected in `.pre-commit-config.yaml` - [ ] Code comments added referencing policy document - [ ] Unit test verifying the fix ### References - Source reports: L1:15.1.1.md - Related findings: FINDING-198 - ASVS sections: 15.1.1 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
