[
https://issues.apache.org/jira/browse/SOLR-17571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17900191#comment-17900191
]
Christos Malliaridis commented on SOLR-17571:
---------------------------------------------
You are correct, dependabot as a bot is not directly related to OWASP or the
security stuff.
According to SOLR-11207 it seems that OWASP dependency checker was introduced
for checking for security vulneratbilities based on CVEs. Not sure if this is
the only task we use it for, but if so, GitHub provides a [dependency
submission
action|https://github.com/marketplace/actions/build-with-gradle#the-dependency-submission-action]
that does exactly that, just on GitHub. This action, in combination with the
"[Dependency
Graph|https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph]";
and "[Dependabot security
updates|https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates]";
features, allows dependabot to create PRs with dependency updates. These PRs
can be distinghuished explicitly (different title, other labels) from normal
dependency update PRs our solrbot was creating before.
Additionally, we would populate our [dependency graph in
GitHub|https://github.com/apache/solr/network/dependencies] with our actual
dependencies by following this path. The vulnerabilities will be reported in
the dependency graph and in the [security tab under
Dependabot|https://github.com/apache/solr/security/dependabot]. Security PRs
would automatically be created and linked with the vulnerabilities found,
allowing us to easier track the progress of such important matters. The only
thing I have not yet checked is the combination with Jira issues (if such
exist, how could they be linked?).
Note that one of the requirements back in the days was the support for Ant
builds, which is no longer applicable.
> Introduce dependabot
> --------------------
>
> Key: SOLR-17571
> URL: https://issues.apache.org/jira/browse/SOLR-17571
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: main (10.0)
> Reporter: Christos Malliaridis
> Assignee: Christos Malliaridis
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> With the migration to Version Catalogs in SOLR-17406, The solrbot stopped
> working and requires to be updated.
> Because we now use Gradle Version Catalogs, dependabot is also an option we
> can consider. It comes with better GitHub integration and more features
> related to security. It should be possible to adopt a similar behavior with
> our current bot by fine-tuning dependabot.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
