Thanks Pat for driving this effort. I would go with Patrick’s suggestion unless folks in the community are committed to monitor automatically created pull requests and action them appropriately. I have some doubts regarding that and don’t want to see dozens of open pull requests in my notification list, so I kindly suggest going with the alerts first and see how it goes.
What kind of alerts are these? E-mail? Andor > On Mar 23, 2026, at 16:11, Christopher <[email protected]> wrote: > > I think the automatic PRs are fine, personally, but I'm having trouble > understanding how these .asf.yaml settings map to the specific > corresponding GitHub settings to know which options are best. I think > turning them both on are fine, and they can be tweaked later, if they > become a problem that need to be scaled back. > > On Mon, Mar 23, 2026 at 3:09 PM Patrick Hunt <[email protected]> wrote: >> >> According to the infra team we need to set the following in our .asf.yaml: >> https://github.com/apache/zookeeper/blob/master/.asf.yaml >> >> https://github.com/apache/infrastructure-asfyaml/blob/main/README.md#depend_alerts >> >> github: >> dependabot_alerts: true >> dependabot_updates: false >> >> >> I can submit a PR for this, assuming everyone here is good with this change? >> >> We want alerts but not the automatic security update pull requests is my >> guess? (iow as doc'd here - alert true, update false) >> >> LMK if there are any concerns, regards, >> >> Patrick >> >> >> >> On Sat, Mar 21, 2026 at 10:32 AM Enrico Olivelli <[email protected]> >> wrote: >> >>> >>> >>> Il Ven 13 Mar 2026, 20:12 Patrick Hunt <[email protected]> ha scritto: >>> >>>> I see that we have scanning running in general: (says ran a few hours ago) >>>> https://github.com/apache/zookeeper/security/dependabot >>>> >>>> What I don't see is a PR workflow, here for hbase: >>>> >>>> https://github.com/apache/hbase/actions/workflows/dependabot/dependabot-updates >>>> which I don't seem to be able to add for ZK. >>>> >>>> I also see this: >>>> >>>> https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features#Git.asf.yamlfeatures-DependabotAlertsandUpdates >>>> but hbase doesn't have it specified... >>>> https://github.com/apache/hbase/blob/master/.asf.yaml >>>> >>>> I searched around quite a bit on infra JIRA and mail archives... but I >>>> don't see any breadcrumbs. Weird. I guess I could ask on infra ML? >>>> >>> >>> Yes please >>> >>> Enrico >>> >>> >>>> Patrick >>>> >>>> On Thu, Mar 12, 2026 at 12:44 AM Dávid Paksy <[email protected]> wrote: >>>> >>>>> Hi All, >>>>> >>>>> I think it is a great idea to use Dependabot and code scanning in GitHub. >>>>> In the HBase project we already have Dependabot enabled and it helps a >>>>> lot >>>>> with identifying issues and opening PR-s to fix them. >>>>> Maybe we can ask in the ASF Infra Slack channel or open an INFRA Jira >>>>> ticket. >>>>> >>>>> Best Regards, >>>>> Dávid >>>>> >>>>> Patrick Hunt <[email protected]> ezt írta (időpont: 2026. márc. 11., Sze, >>>>> 19:30): >>>>> >>>>>> On Tue, Mar 10, 2026 at 5:53 PM Christopher <[email protected]> >>>>> wrote: >>>>>> >>>>>>> You're looking at the GitHub Actions that can be added to a project. >>>>>>> I'm not even sure if INFRA would allow any of those to run. They >>>>>>> probably have an allow-list of GitHub Actions that can run on our >>>>>>> repos. >>>>>>> >>>>>>> What I'm referring to would be in the repo settings: >>>>>>> https://github.com/apache/zookeeper/settings/security_analysis >>>>>>> But, I don't have access to those settings for this repo (or any ASF >>>>>>> repo; only INFRA has access). >>>>>>> >>>>>>> There may be a .asf.yaml option to enable the automated dependabot >>>>> PRs. >>>>>>> >>>>>>> >>>>>> Hm. How would I find out more about this? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Patrick >>>>>> >>>>>> >>>>>>> On Tue, Mar 10, 2026 at 4:38 PM Patrick Hunt <[email protected]> >>>>> wrote: >>>>>>>> >>>>>>>> On Tue, Mar 10, 2026 at 12:28 PM Christopher <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>>> I think it's probably sufficient to just enable the GitHub code >>>>>>>>> scanning and dependabot PRs. That's what other projects do. It's >>>>>>>>> pretty easy to review and merge right from the interface, and it >>>>>> helps >>>>>>>>> stay on top of these. >>>>>>>>> >>>>>>>> >>>>>>>> Sounds reasonable. Which code scanner do they use? when I attempt >>>>> to >>>>>> turn >>>>>>>> code scanning on it gives me a list of options. >>>>>>>> >>>>>>>> I also noticed that osv-scanner is an option: >>>>>>>> >>>>>>> >>>>>> >>>>> https://github.com/apache/zookeeper/actions/new?category=security&query=osv >>>>>>>> >>>>>>>> Patrick >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Mar 10, 2026 at 3:08 PM Patrick Hunt <[email protected]> >>>>>> wrote: >>>>>>>>>> >>>>>>>>>> On Tue, Mar 10, 2026 at 10:18 AM Patrick Hunt < >>>>> [email protected]> >>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Mar 9, 2026 at 2:08 PM Patrick Hunt < >>>>> [email protected]> >>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Mar 9, 2026 at 2:02 PM Enrico Olivelli < >>>>>>> [email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Il Lun 9 Mar 2026, 17:27 Patrick Hunt <[email protected]> >>>>> ha >>>>>>> scritto: >>>>>>>>>>>>> >>>>>>>>>>>>>> I noticed that there are GHSA reports which don't always >>>>> have >>>>>>> CVEs >>>>>>>>>>>>>> assigned. We have the OWASP scanner scanning for CVEs as >>>>> part >>>>>>> of >>>>>>>>> our >>>>>>>>>>>>>> Jenkins infra, however not GHSA. Should we add this? >>>>>>>>>>>>>> >>>>>>>>>>>>>> There's a tool "osv-scanner" which I ran locally on my >>>>>> machine >>>>>>> (not >>>>>>>>>>>>> sure if >>>>>>>>>>>>>> this is running right but ...), it reported the >>>>> following for >>>>>>>>> trunk.... >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Is it possible to run it on Github actions, instead of >>>>> Jenkins? >>>>>>>>>>>>> >>>>>>>>>>>>> In any case I am +1 to add new popular scanners, because >>>>> having >>>>>>> their >>>>>>>>>>>>> reports can help us see the problems as soon as they hit >>>>> users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> I notice we don't have github.com native security scanning >>>>>>> active, >>>>>>>>>>>> >>>>>>>>>>>>> Code scanning alerts • Needs setup >>>>>>>>>>>>> Automatically detect common vulnerability and coding errors >>>>>>>>>>>> >>>>>>>>>>>> perhaps that would be sufficient? Maybe we should try that >>>>>> first? >>>>>>>>> Anyone >>>>>>>>>>>> know why we are not using it?/any reason not to just turn >>>>> it on? >>>>>>> Any >>>>>>>>> reason >>>>>>>>>>>> not to turn it on? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> What's our policy - if dependabot submits a PR, is that >>>>>> something a >>>>>>>>>>> committer can "+1" and commit? (I assume yes?) Via the >>>>> github PR >>>>>>>>> process? >>>>>>>>>>> (eg merge/commit/close via the github UI) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I can also try this if there are no objections and seems to >>>>> align >>>>>>> with >>>>>>>>> your >>>>>>>>>> feedback @Enrico Olivelli <[email protected]> >>>>>>>>>> >>>>>>>>>> https://google.github.io/osv-scanner/github-action/ >>>>>>>>>> >>>>>>>>>> OSV-Scanner is available as a CI/CD Action. We currently offer >>>>> two >>>>>>>>>> different reusable workflows for Github: >>>>>>>>>> >>>>>>>>>> A workflow that triggers a scan with each pull request and will >>>>>> only >>>>>>>>> report >>>>>>>>>> new vulnerabilities introduced through the pull request. >>>>>>>>>> A workflow that performs a full vulnerability scan, which can >>>>> be >>>>>>>>> configured >>>>>>>>>> to scan on pushes or a regular schedule. The full vulnerability >>>>>> scan >>>>>>> can >>>>>>>>>> also be configured to run on release to prevent releasing with >>>>>> known >>>>>>>>>> vulnerabilities in dependencies. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Patrick >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Patrick >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Enrico >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Patrick >>>>>>>>>>>>>> >>>>>>>>>>>>>> ..... <clip general logs> .... >>>>>>>>>>>>>> End status: 536 dirs visited, 2308 inodes visited, 21 >>>>> Extract >>>>>>>>> calls, >>>>>>>>>>>>>> 3.877381125s elapsed, 3.877341s wall time >>>>>>>>>>>>>> Filtered 3 local/unscannable package/s from the scan. >>>>>>>>>>>>>> Total 5 packages affected by 10 known vulnerabilities (0 >>>>>>> Critical, >>>>>>>>> 3 >>>>>>>>>>>>> High, >>>>>>>>>>>>>> 4 Medium, 3 Low, 0 Unknown) from 1 ecosystem. >>>>>>>>>>>>>> 10 vulnerabilities can be fixed. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> ╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────────────────┬─────────┬───────────────┬──────────────────────────────────────────────────────╮ >>>>>>>>>>>>>> │ OSV URL │ CVSS │ ECOSYSTEM >>>>> │ >>>>>>> PACKAGE >>>>>>>>>>>>>> │ VERSION │ FIXED VERSION │ SOURCE >>>>>>>>>>>>>> │ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> ├─────────────────────────────────────┼──────┼───────────┼───────────────────────────────────────┼─────────┼───────────────┼──────────────────────────────────────────────────────┤ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven >>>>> │ >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 >>>>>>> │ >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven >>>>> │ >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 >>>>>>> │ >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven >>>>> │ >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 >>>>>>> │ >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven >>>>> │ >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 >>>>>>> │ >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven >>>>> │ >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 >>>>>>> │ >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven >>>>> │ >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 >>>>>>> │ >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-cfxw-4h78-h7fw │ 8.9 │ Maven >>>>> │ >>>>>>>>>>>>> dnsjava:dnsjava >>>>>>>>>>>>>> │ 3.5.1 │ 3.6.0 │ >>>>>>>>>>>>> zookeeper-server/pom.xml >>>>>>>>>>>>>> │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-crjg-w57m-rqqf │ 7.7 │ Maven >>>>> │ >>>>>>>>>>>>> dnsjava:dnsjava >>>>>>>>>>>>>> │ 3.5.1 │ 3.6.0 │ >>>>>>>>>>>>> zookeeper-server/pom.xml >>>>>>>>>>>>>> │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-mmwx-rj87-vfgr │ 7.1 │ Maven >>>>> │ >>>>>>>>>>>>> dnsjava:dnsjava >>>>>>>>>>>>>> │ 3.5.1 │ 3.6.0 │ >>>>>>>>>>>>> zookeeper-server/pom.xml >>>>>>>>>>>>>> │ >>>>>>>>>>>>>> │ https://osv.dev/GHSA-4cx2-fc23-5wg6 │ 6.3 │ Maven >>>>> │ >>>>>>>>>>>>>> org.bouncycastle:bcpkix-jdk18on (dev) │ 1.78 │ 1.79 >>>>>>> │ >>>>>>>>>>>>>> zookeeper-server/pom.xml │ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> ╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴─────────┴───────────────┴──────────────────────────────────────────────────────╯ >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> >>>>
