On 21/12/2021 23:55, Hen wrote: <snip/>
Dependabot-on-GitHub wise, there is a dashboard but presumably only visible to the organization owners. The new Repository roles maybe could be used to create a Security role who can see it for all repos without making the Security Team Owners on the organization. Can also write GH API code to pull the data; though doing it as a GH Action is probably better if we're hitting the 5,000 PAT limits.
Personally, I *really* don't like dependabot. The volume of noise it has created in Apache Commons is significant. To the point that, in my view, it is harming the community because the volume of mail from dependabot is drowning out other conversations.
The thing is, an out of date dependency isn't necessarily an issue - even if that dependency has known security issues. What matters is how the dependency is used. We ran a trial of SRC:CLR (source clear - since acquired by VeraCode) a few years ago and it was enlightening. SRC:CLR's USP was that it checked how dependencies were used so you could prioritise updating the dependencies that actually needed to be updated. Roughly, only about 10% of dependencies with known vulnerabilities were being used in a way that exposed the vulnerability.
I think there is value in using the SRC:CLR service although we may have to pay for it. The challenge is that the projects didn't seem that interested. Times have changed since then though.
While I am on my hobby horse, and on a closely related topic, I also have next to no time for static analysis tools. They might work well for applications but I have never seen one work well for infrastructure code (Tomcat, Commons etc.). Way too many false positives. Also, when we look back at historical scans where we now know a vulnerability was present, we can see that the static analysis missed it. And I've seen a couple over the years that I would have expected to be caught.
What does work well are tools like SpotBugs (formerly FindBugs). I also like code formatting tools on the basis that a standard format makes the code easier to read and hence understand - and spot bugs.
Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
