I think they are ones here, likely also highlighted in the periodic security report that github sends. Hard to say though - the info coming out of infra team - I'm not super clear. We might need to experiment a bit....
https://github.com/apache/zookeeper/security/dependabot Patrick On Tue, Mar 24, 2026 at 8:43 AM Andor Molnár <[email protected]> wrote: > Thanks Pat for driving this effort. > > I would go with Patrick’s suggestion unless folks in the community are > committed to monitor automatically created pull requests and action them > appropriately. I have some doubts regarding that and don’t want to see > dozens of open pull requests in my notification list, so I kindly suggest > going with the alerts first and see how it goes. > > What kind of alerts are these? E-mail? > > Andor > > > > > > On Mar 23, 2026, at 16:11, Christopher <[email protected]> wrote: > > > > I think the automatic PRs are fine, personally, but I'm having trouble > > understanding how these .asf.yaml settings map to the specific > > corresponding GitHub settings to know which options are best. I think > > turning them both on are fine, and they can be tweaked later, if they > > become a problem that need to be scaled back. > > > > On Mon, Mar 23, 2026 at 3:09 PM Patrick Hunt <[email protected]> wrote: > >> > >> According to the infra team we need to set the following in our > .asf.yaml: > >> https://github.com/apache/zookeeper/blob/master/.asf.yaml > >> > >> > https://github.com/apache/infrastructure-asfyaml/blob/main/README.md#depend_alerts > >> > >> github: > >> dependabot_alerts: true > >> dependabot_updates: false > >> > >> > >> I can submit a PR for this, assuming everyone here is good with this > change? > >> > >> We want alerts but not the automatic security update pull requests is my > >> guess? (iow as doc'd here - alert true, update false) > >> > >> LMK if there are any concerns, regards, > >> > >> Patrick > >> > >> > >> > >> On Sat, Mar 21, 2026 at 10:32 AM Enrico Olivelli <[email protected]> > >> wrote: > >> > >>> > >>> > >>> Il Ven 13 Mar 2026, 20:12 Patrick Hunt <[email protected]> ha scritto: > >>> > >>>> I see that we have scanning running in general: (says ran a few hours > ago) > >>>> https://github.com/apache/zookeeper/security/dependabot > >>>> > >>>> What I don't see is a PR workflow, here for hbase: > >>>> > >>>> > https://github.com/apache/hbase/actions/workflows/dependabot/dependabot-updates > >>>> which I don't seem to be able to add for ZK. > >>>> > >>>> I also see this: > >>>> > >>>> > https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features#Git.asf.yamlfeatures-DependabotAlertsandUpdates > >>>> but hbase doesn't have it specified... > >>>> https://github.com/apache/hbase/blob/master/.asf.yaml > >>>> > >>>> I searched around quite a bit on infra JIRA and mail archives... but I > >>>> don't see any breadcrumbs. Weird. I guess I could ask on infra ML? > >>>> > >>> > >>> Yes please > >>> > >>> Enrico > >>> > >>> > >>>> Patrick > >>>> > >>>> On Thu, Mar 12, 2026 at 12:44 AM Dávid Paksy <[email protected]> > wrote: > >>>> > >>>>> Hi All, > >>>>> > >>>>> I think it is a great idea to use Dependabot and code scanning in > GitHub. > >>>>> In the HBase project we already have Dependabot enabled and it helps > a > >>>>> lot > >>>>> with identifying issues and opening PR-s to fix them. > >>>>> Maybe we can ask in the ASF Infra Slack channel or open an INFRA Jira > >>>>> ticket. > >>>>> > >>>>> Best Regards, > >>>>> Dávid > >>>>> > >>>>> Patrick Hunt <[email protected]> ezt írta (időpont: 2026. márc. 11., > Sze, > >>>>> 19:30): > >>>>> > >>>>>> On Tue, Mar 10, 2026 at 5:53 PM Christopher <[email protected]> > >>>>> wrote: > >>>>>> > >>>>>>> You're looking at the GitHub Actions that can be added to a > project. > >>>>>>> I'm not even sure if INFRA would allow any of those to run. They > >>>>>>> probably have an allow-list of GitHub Actions that can run on our > >>>>>>> repos. > >>>>>>> > >>>>>>> What I'm referring to would be in the repo settings: > >>>>>>> https://github.com/apache/zookeeper/settings/security_analysis > >>>>>>> But, I don't have access to those settings for this repo (or any > ASF > >>>>>>> repo; only INFRA has access). > >>>>>>> > >>>>>>> There may be a .asf.yaml option to enable the automated dependabot > >>>>> PRs. > >>>>>>> > >>>>>>> > >>>>>> Hm. How would I find out more about this? > >>>>>> > >>>>>> Thanks! > >>>>>> > >>>>>> Patrick > >>>>>> > >>>>>> > >>>>>>> On Tue, Mar 10, 2026 at 4:38 PM Patrick Hunt <[email protected]> > >>>>> wrote: > >>>>>>>> > >>>>>>>> On Tue, Mar 10, 2026 at 12:28 PM Christopher <[email protected] > > > >>>>>>> wrote: > >>>>>>>> > >>>>>>>>> I think it's probably sufficient to just enable the GitHub code > >>>>>>>>> scanning and dependabot PRs. That's what other projects do. It's > >>>>>>>>> pretty easy to review and merge right from the interface, and it > >>>>>> helps > >>>>>>>>> stay on top of these. > >>>>>>>>> > >>>>>>>> > >>>>>>>> Sounds reasonable. Which code scanner do they use? when I attempt > >>>>> to > >>>>>> turn > >>>>>>>> code scanning on it gives me a list of options. > >>>>>>>> > >>>>>>>> I also noticed that osv-scanner is an option: > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > https://github.com/apache/zookeeper/actions/new?category=security&query=osv > >>>>>>>> > >>>>>>>> Patrick > >>>>>>>> > >>>>>>>> > >>>>>>>>> > >>>>>>>>> On Tue, Mar 10, 2026 at 3:08 PM Patrick Hunt <[email protected]> > >>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> On Tue, Mar 10, 2026 at 10:18 AM Patrick Hunt < > >>>>> [email protected]> > >>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> On Mon, Mar 9, 2026 at 2:08 PM Patrick Hunt < > >>>>> [email protected]> > >>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> On Mon, Mar 9, 2026 at 2:02 PM Enrico Olivelli < > >>>>>>> [email protected]> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> Il Lun 9 Mar 2026, 17:27 Patrick Hunt <[email protected]> > >>>>> ha > >>>>>>> scritto: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> I noticed that there are GHSA reports which don't always > >>>>> have > >>>>>>> CVEs > >>>>>>>>>>>>>> assigned. We have the OWASP scanner scanning for CVEs as > >>>>> part > >>>>>>> of > >>>>>>>>> our > >>>>>>>>>>>>>> Jenkins infra, however not GHSA. Should we add this? > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> There's a tool "osv-scanner" which I ran locally on my > >>>>>> machine > >>>>>>> (not > >>>>>>>>>>>>> sure if > >>>>>>>>>>>>>> this is running right but ...), it reported the > >>>>> following for > >>>>>>>>> trunk.... > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> Is it possible to run it on Github actions, instead of > >>>>> Jenkins? > >>>>>>>>>>>>> > >>>>>>>>>>>>> In any case I am +1 to add new popular scanners, because > >>>>> having > >>>>>>> their > >>>>>>>>>>>>> reports can help us see the problems as soon as they hit > >>>>> users > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> I notice we don't have github.com native security scanning > >>>>>>> active, > >>>>>>>>>>>> > >>>>>>>>>>>>> Code scanning alerts • Needs setup > >>>>>>>>>>>>> Automatically detect common vulnerability and coding errors > >>>>>>>>>>>> > >>>>>>>>>>>> perhaps that would be sufficient? Maybe we should try that > >>>>>> first? > >>>>>>>>> Anyone > >>>>>>>>>>>> know why we are not using it?/any reason not to just turn > >>>>> it on? > >>>>>>> Any > >>>>>>>>> reason > >>>>>>>>>>>> not to turn it on? > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> What's our policy - if dependabot submits a PR, is that > >>>>>> something a > >>>>>>>>>>> committer can "+1" and commit? (I assume yes?) Via the > >>>>> github PR > >>>>>>>>> process? > >>>>>>>>>>> (eg merge/commit/close via the github UI) > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> I can also try this if there are no objections and seems to > >>>>> align > >>>>>>> with > >>>>>>>>> your > >>>>>>>>>> feedback @Enrico Olivelli <[email protected]> > >>>>>>>>>> > >>>>>>>>>> https://google.github.io/osv-scanner/github-action/ > >>>>>>>>>> > >>>>>>>>>> OSV-Scanner is available as a CI/CD Action. We currently offer > >>>>> two > >>>>>>>>>> different reusable workflows for Github: > >>>>>>>>>> > >>>>>>>>>> A workflow that triggers a scan with each pull request and will > >>>>>> only > >>>>>>>>> report > >>>>>>>>>> new vulnerabilities introduced through the pull request. > >>>>>>>>>> A workflow that performs a full vulnerability scan, which can > >>>>> be > >>>>>>>>> configured > >>>>>>>>>> to scan on pushes or a regular schedule. The full vulnerability > >>>>>> scan > >>>>>>> can > >>>>>>>>>> also be configured to run on release to prevent releasing with > >>>>>> known > >>>>>>>>>> vulnerabilities in dependencies. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> Patrick > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>> Patrick > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> Enrico > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Regards, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Patrick > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> ..... <clip general logs> .... > >>>>>>>>>>>>>> End status: 536 dirs visited, 2308 inodes visited, 21 > >>>>> Extract > >>>>>>>>> calls, > >>>>>>>>>>>>>> 3.877381125s elapsed, 3.877341s wall time > >>>>>>>>>>>>>> Filtered 3 local/unscannable package/s from the scan. > >>>>>>>>>>>>>> Total 5 packages affected by 10 known vulnerabilities (0 > >>>>>>> Critical, > >>>>>>>>> 3 > >>>>>>>>>>>>> High, > >>>>>>>>>>>>>> 4 Medium, 3 Low, 0 Unknown) from 1 ecosystem. > >>>>>>>>>>>>>> 10 vulnerabilities can be fixed. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >>>>> > ╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────────────────┬─────────┬───────────────┬──────────────────────────────────────────────────────╮ > >>>>>>>>>>>>>> │ OSV URL │ CVSS │ ECOSYSTEM > >>>>> │ > >>>>>>> PACKAGE > >>>>>>>>>>>>>> │ VERSION │ FIXED VERSION │ SOURCE > >>>>>>>>>>>>>> │ > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >>>>> > ├─────────────────────────────────────┼──────┼───────────┼───────────────────────────────────────┼─────────┼───────────────┼──────────────────────────────────────────────────────┤ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven > >>>>> │ > >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 > >>>>>>> │ > >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven > >>>>> │ > >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 > >>>>>>> │ > >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven > >>>>> │ > >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 > >>>>>>> │ > >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven > >>>>> │ > >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 > >>>>>>> │ > >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven > >>>>> │ > >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 > >>>>>>> │ > >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven > >>>>> │ > >>>>>>>>>>>>>> ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 > >>>>>>> │ > >>>>>>>>>>>>>> zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-cfxw-4h78-h7fw │ 8.9 │ Maven > >>>>> │ > >>>>>>>>>>>>> dnsjava:dnsjava > >>>>>>>>>>>>>> │ 3.5.1 │ 3.6.0 │ > >>>>>>>>>>>>> zookeeper-server/pom.xml > >>>>>>>>>>>>>> │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-crjg-w57m-rqqf │ 7.7 │ Maven > >>>>> │ > >>>>>>>>>>>>> dnsjava:dnsjava > >>>>>>>>>>>>>> │ 3.5.1 │ 3.6.0 │ > >>>>>>>>>>>>> zookeeper-server/pom.xml > >>>>>>>>>>>>>> │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-mmwx-rj87-vfgr │ 7.1 │ Maven > >>>>> │ > >>>>>>>>>>>>> dnsjava:dnsjava > >>>>>>>>>>>>>> │ 3.5.1 │ 3.6.0 │ > >>>>>>>>>>>>> zookeeper-server/pom.xml > >>>>>>>>>>>>>> │ > >>>>>>>>>>>>>> │ https://osv.dev/GHSA-4cx2-fc23-5wg6 │ 6.3 │ Maven > >>>>> │ > >>>>>>>>>>>>>> org.bouncycastle:bcpkix-jdk18on (dev) │ 1.78 │ 1.79 > >>>>>>> │ > >>>>>>>>>>>>>> zookeeper-server/pom.xml │ > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >>>>> > ╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴─────────┴───────────────┴──────────────────────────────────────────────────────╯ > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >
