https://bugzilla.wikimedia.org/show_bug.cgi?id=72193
Bug ID: 72193
Summary: Have a check for reported security issues in
dependencies
Product: Wikimedia
Version: wmf-deployment
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: Unprioritized
Component: Deployment systems
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected]
Web browser: ---
Mobile Platform: ---
As we start including 3rd party libraries into WMF code, we should have a way
to regularly check that our deployed version includes any security fixes.
My initial thought is to have Jenkins use https://security.sensiolabs.org/api
to check any composer.lock files that are included in our patches.
Since the database of vulnerabilities that sensiolabs includes is relatively
small, I'd propose that part of the security review is ensuring that any 3rd
party libraries get included by them
(https://security.sensiolabs.org/contribute), keeping us more secure, and
helping other projects be secure too.
Bd808 thinks he can help me get this setup.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
