On Mon, May 3, 2021 at 10:24 PM Oleg Nenashev <[email protected]> wrote:
> >> Would you like to participate as a contributor? > > What does this entail? > > That's a good question, to be seen. As a part of the pilot project we will > need: > > - Try out LFX Security 2.0 and configure it for some of our projects > - Explore options for filtering out false positives, find a solution > for the Jenkins project taking its scale and needs > - Try out other features like license analysis > - Document the implementation for other maintainers > - Keep evaluation notes and share feedback with Snyk/LFX Security. If > we experience blockers, multiple iterations might be required > > Note from the discussion: It is unlikely that we will be able to use the > standard Snyk's GitHub integration via GitHub App. We will likely need to > integrate scanning submissions into our Jenkins pipelines (there is a Snyk > plugin FTR) or to use GitHub actions. Reason - GitHub Integration cannot > handle custom Bills of Materials which will be supported by the LFX > Security 2.0 API (actually, by the Snyk backend). > Right, that's what I mentioned further down. I don't see CVE ignore lists having satisfactory results for plugin maintainers as soon as plugin/core dependencies are scanned. I'd like to contribute to this effort, unfortunately I don't know yet how much time I can actually commit to this. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJUKYidTx_ZF%2BHb5p3gihjFgr59dqix9q53vRZCnLCY0g%40mail.gmail.com.
