I think the automatic PRs are fine, personally, but I'm having trouble understanding how these .asf.yaml settings map to the specific corresponding GitHub settings to know which options are best. I think turning them both on are fine, and they can be tweaked later, if they become a problem that need to be scaled back.
On Mon, Mar 23, 2026 at 3:09 PM Patrick Hunt <[email protected]> wrote: > > According to the infra team we need to set the following in our .asf.yaml: > https://github.com/apache/zookeeper/blob/master/.asf.yaml > > https://github.com/apache/infrastructure-asfyaml/blob/main/README.md#depend_alerts > > github: > dependabot_alerts: true > dependabot_updates: false > > > I can submit a PR for this, assuming everyone here is good with this change? > > We want alerts but not the automatic security update pull requests is my > guess? (iow as doc'd here - alert true, update false) > > LMK if there are any concerns, regards, > > Patrick > > > > On Sat, Mar 21, 2026 at 10:32 AM Enrico Olivelli <[email protected]> > wrote: > > > > > > > Il Ven 13 Mar 2026, 20:12 Patrick Hunt <[email protected]> ha scritto: > > > >> I see that we have scanning running in general: (says ran a few hours ago) > >> https://github.com/apache/zookeeper/security/dependabot > >> > >> What I don't see is a PR workflow, here for hbase: > >> > >> https://github.com/apache/hbase/actions/workflows/dependabot/dependabot-updates > >> which I don't seem to be able to add for ZK. > >> > >> I also see this: > >> > >> https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features#Git.asf.yamlfeatures-DependabotAlertsandUpdates > >> but hbase doesn't have it specified... > >> https://github.com/apache/hbase/blob/master/.asf.yaml > >> > >> I searched around quite a bit on infra JIRA and mail archives... but I > >> don't see any breadcrumbs. Weird. I guess I could ask on infra ML? > >> > > > > Yes please > > > > Enrico > > > > > >> Patrick > >> > >> On Thu, Mar 12, 2026 at 12:44 AM Dávid Paksy <[email protected]> wrote: > >> > >>> Hi All, > >>> > >>> I think it is a great idea to use Dependabot and code scanning in GitHub. > >>> In the HBase project we already have Dependabot enabled and it helps a > >>> lot > >>> with identifying issues and opening PR-s to fix them. > >>> Maybe we can ask in the ASF Infra Slack channel or open an INFRA Jira > >>> ticket. > >>> > >>> Best Regards, > >>> Dávid > >>> > >>> Patrick Hunt <[email protected]> ezt írta (időpont: 2026. márc. 11., Sze, > >>> 19:30): > >>> > >>> > On Tue, Mar 10, 2026 at 5:53 PM Christopher <[email protected]> > >>> wrote: > >>> > > >>> > > You're looking at the GitHub Actions that can be added to a project. > >>> > > I'm not even sure if INFRA would allow any of those to run. They > >>> > > probably have an allow-list of GitHub Actions that can run on our > >>> > > repos. > >>> > > > >>> > > What I'm referring to would be in the repo settings: > >>> > > https://github.com/apache/zookeeper/settings/security_analysis > >>> > > But, I don't have access to those settings for this repo (or any ASF > >>> > > repo; only INFRA has access). > >>> > > > >>> > > There may be a .asf.yaml option to enable the automated dependabot > >>> PRs. > >>> > > > >>> > > > >>> > Hm. How would I find out more about this? > >>> > > >>> > Thanks! > >>> > > >>> > Patrick > >>> > > >>> > > >>> > > On Tue, Mar 10, 2026 at 4:38 PM Patrick Hunt <[email protected]> > >>> wrote: > >>> > > > > >>> > > > On Tue, Mar 10, 2026 at 12:28 PM Christopher <[email protected]> > >>> > > wrote: > >>> > > > > >>> > > > > I think it's probably sufficient to just enable the GitHub code > >>> > > > > scanning and dependabot PRs. That's what other projects do. It's > >>> > > > > pretty easy to review and merge right from the interface, and it > >>> > helps > >>> > > > > stay on top of these. > >>> > > > > > >>> > > > > >>> > > > Sounds reasonable. Which code scanner do they use? when I attempt > >>> to > >>> > turn > >>> > > > code scanning on it gives me a list of options. > >>> > > > > >>> > > > I also noticed that osv-scanner is an option: > >>> > > > > >>> > > > >>> > > >>> https://github.com/apache/zookeeper/actions/new?category=security&query=osv > >>> > > > > >>> > > > Patrick > >>> > > > > >>> > > > > >>> > > > > > >>> > > > > On Tue, Mar 10, 2026 at 3:08 PM Patrick Hunt <[email protected]> > >>> > wrote: > >>> > > > > > > >>> > > > > > On Tue, Mar 10, 2026 at 10:18 AM Patrick Hunt < > >>> [email protected]> > >>> > > wrote: > >>> > > > > > > >>> > > > > > > > >>> > > > > > > > >>> > > > > > > On Mon, Mar 9, 2026 at 2:08 PM Patrick Hunt < > >>> [email protected]> > >>> > > wrote: > >>> > > > > > > > >>> > > > > > >> > >>> > > > > > >> > >>> > > > > > >> On Mon, Mar 9, 2026 at 2:02 PM Enrico Olivelli < > >>> > > [email protected]> > >>> > > > > > >> wrote: > >>> > > > > > >> > >>> > > > > > >>> Il Lun 9 Mar 2026, 17:27 Patrick Hunt <[email protected]> > >>> ha > >>> > > scritto: > >>> > > > > > >>> > >>> > > > > > >>> > I noticed that there are GHSA reports which don't always > >>> have > >>> > > CVEs > >>> > > > > > >>> > assigned. We have the OWASP scanner scanning for CVEs as > >>> part > >>> > > of > >>> > > > > our > >>> > > > > > >>> > Jenkins infra, however not GHSA. Should we add this? > >>> > > > > > >>> > > >>> > > > > > >>> > There's a tool "osv-scanner" which I ran locally on my > >>> > machine > >>> > > (not > >>> > > > > > >>> sure if > >>> > > > > > >>> > this is running right but ...), it reported the > >>> following for > >>> > > > > trunk.... > >>> > > > > > >>> > > >>> > > > > > >>> > >>> > > > > > >>> > >>> > > > > > >>> Is it possible to run it on Github actions, instead of > >>> Jenkins? > >>> > > > > > >>> > >>> > > > > > >>> In any case I am +1 to add new popular scanners, because > >>> having > >>> > > their > >>> > > > > > >>> reports can help us see the problems as soon as they hit > >>> users > >>> > > > > > >>> > >>> > > > > > >>> > >>> > > > > > >> I notice we don't have github.com native security scanning > >>> > > active, > >>> > > > > > >> > >>> > > > > > >> >Code scanning alerts • Needs setup > >>> > > > > > >> >Automatically detect common vulnerability and coding errors > >>> > > > > > >> > >>> > > > > > >> perhaps that would be sufficient? Maybe we should try that > >>> > first? > >>> > > > > Anyone > >>> > > > > > >> know why we are not using it?/any reason not to just turn > >>> it on? > >>> > > Any > >>> > > > > reason > >>> > > > > > >> not to turn it on? > >>> > > > > > >> > >>> > > > > > >> > >>> > > > > > > What's our policy - if dependabot submits a PR, is that > >>> > something a > >>> > > > > > > committer can "+1" and commit? (I assume yes?) Via the > >>> github PR > >>> > > > > process? > >>> > > > > > > (eg merge/commit/close via the github UI) > >>> > > > > > > > >>> > > > > > > > >>> > > > > > I can also try this if there are no objections and seems to > >>> align > >>> > > with > >>> > > > > your > >>> > > > > > feedback @Enrico Olivelli <[email protected]> > >>> > > > > > > >>> > > > > > https://google.github.io/osv-scanner/github-action/ > >>> > > > > > > >>> > > > > > OSV-Scanner is available as a CI/CD Action. We currently offer > >>> two > >>> > > > > > different reusable workflows for Github: > >>> > > > > > > >>> > > > > > A workflow that triggers a scan with each pull request and will > >>> > only > >>> > > > > report > >>> > > > > > new vulnerabilities introduced through the pull request. > >>> > > > > > A workflow that performs a full vulnerability scan, which can > >>> be > >>> > > > > configured > >>> > > > > > to scan on pushes or a regular schedule. The full vulnerability > >>> > scan > >>> > > can > >>> > > > > > also be configured to run on release to prevent releasing with > >>> > known > >>> > > > > > vulnerabilities in dependencies. > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > > Patrick > >>> > > > > > > > >>> > > > > > > > >>> > > > > > >> Patrick > >>> > > > > > >> > >>> > > > > > >> > >>> > > > > > >>> Enrico > >>> > > > > > >>> > >>> > > > > > >>> > >>> > > > > > >>> > Regards, > >>> > > > > > >>> > > >>> > > > > > >>> > Patrick > >>> > > > > > >>> > > >>> > > > > > >>> > ..... <clip general logs> .... > >>> > > > > > >>> > End status: 536 dirs visited, 2308 inodes visited, 21 > >>> Extract > >>> > > > > calls, > >>> > > > > > >>> > 3.877381125s elapsed, 3.877341s wall time > >>> > > > > > >>> > Filtered 3 local/unscannable package/s from the scan. > >>> > > > > > >>> > Total 5 packages affected by 10 known vulnerabilities (0 > >>> > > Critical, > >>> > > > > 3 > >>> > > > > > >>> High, > >>> > > > > > >>> > 4 Medium, 3 Low, 0 Unknown) from 1 ecosystem. > >>> > > > > > >>> > 10 vulnerabilities can be fixed. > >>> > > > > > >>> > > >>> > > > > > >>> > > >>> > > > > > >>> > > >>> > > > > > >>> > > >>> > > > > > >>> > >>> > > > > > >>> > > > >>> > > >>> ╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────────────────┬─────────┬───────────────┬──────────────────────────────────────────────────────╮ > >>> > > > > > >>> > │ OSV URL │ CVSS │ ECOSYSTEM > >>> │ > >>> > > PACKAGE > >>> > > > > > >>> > │ VERSION │ FIXED VERSION │ SOURCE > >>> > > > > > >>> > │ > >>> > > > > > >>> > > >>> > > > > > >>> > > >>> > > > > > >>> > >>> > > > > > >>> > > > >>> > > >>> ├─────────────────────────────────────┼──────┼───────────┼───────────────────────────────────────┼─────────┼───────────────┼──────────────────────────────────────────────────────┤ > >>> > > > > > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven > >>> │ > >>> > > > > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 > >>> > > │ > >>> > > > > > >>> > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven > >>> │ > >>> > > > > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 > >>> > > │ > >>> > > > > > >>> > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven > >>> │ > >>> > > > > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 > >>> > > │ > >>> > > > > > >>> > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven > >>> │ > >>> > > > > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 > >>> > > │ > >>> > > > > > >>> > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven > >>> │ > >>> > > > > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 > >>> > > │ > >>> > > > > > >>> > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven > >>> │ > >>> > > > > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 > >>> > > │ > >>> > > > > > >>> > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-cfxw-4h78-h7fw │ 8.9 │ Maven > >>> │ > >>> > > > > > >>> dnsjava:dnsjava > >>> > > > > > >>> > │ 3.5.1 │ 3.6.0 │ > >>> > > > > > >>> zookeeper-server/pom.xml > >>> > > > > > >>> > │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-crjg-w57m-rqqf │ 7.7 │ Maven > >>> │ > >>> > > > > > >>> dnsjava:dnsjava > >>> > > > > > >>> > │ 3.5.1 │ 3.6.0 │ > >>> > > > > > >>> zookeeper-server/pom.xml > >>> > > > > > >>> > │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-mmwx-rj87-vfgr │ 7.1 │ Maven > >>> │ > >>> > > > > > >>> dnsjava:dnsjava > >>> > > > > > >>> > │ 3.5.1 │ 3.6.0 │ > >>> > > > > > >>> zookeeper-server/pom.xml > >>> > > > > > >>> > │ > >>> > > > > > >>> > │ https://osv.dev/GHSA-4cx2-fc23-5wg6 │ 6.3 │ Maven > >>> │ > >>> > > > > > >>> > org.bouncycastle:bcpkix-jdk18on (dev) │ 1.78 │ 1.79 > >>> > > │ > >>> > > > > > >>> > zookeeper-server/pom.xml │ > >>> > > > > > >>> > > >>> > > > > > >>> > > >>> > > > > > >>> > >>> > > > > > >>> > > > >>> > > >>> ╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴─────────┴───────────────┴──────────────────────────────────────────────────────╯ > >>> > > > > > >>> > > >>> > > > > > >>> > >>> > > > > > >> > >>> > > > > > >>> > > > >>> > > >>> > >>
