You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@daffodil.apache.org by GitBox <gi...@apache.org> on 2022/08/17 17:20:48 UTC

[GitHub] [daffodil] jhutchings1 opened a new pull request, #830: Add dependency scanning for the build.sbt

jhutchings1 opened a new pull request, #830:
URL: https://github.com/apache/daffodil/pull/830

   :wave: Hello! I'm a PM at GitHub working on our supply chain security features. We've been testing out a new capability called the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) that lets repositories that use build systems like Gradle or SBT upload information about the libraries they depend on so that @dependabot can send alerts when there are known vulnerabilities. Are you interested in trying this out? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] mbeckerle commented on pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

mbeckerle commented on PR #830:
URL: https://github.com/apache/daffodil/pull/830#issuecomment-1218766869

   A thought is that the dependency graph does not distinguish between main dependencies and test dependencies. Or I didn't see that at first glance. 
   
   That distinction is quite important. 
   
   Main dependencies are passed through to consumers who use daffodil. 
   
   Test dependencies are encountered only by developers. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] jhutchings1 commented on a diff in pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

jhutchings1 commented on code in PR #830:
URL: https://github.com/apache/daffodil/pull/830#discussion_r948262196


##########
.github/workflows/dependency-scan.yml:
##########
@@ -0,0 +1,29 @@
+name: Dependency scan
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]

Review Comment:
   Ah, good catch. I'll make that modification. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] jhutchings1 commented on pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

jhutchings1 commented on PR #830:
URL: https://github.com/apache/daffodil/pull/830#issuecomment-1218777425

   > A thought is that the dependency graph does not distinguish between main dependencies and test dependencies. Or I didn't see that at first glance.
   
   The dependency graph supports indicating whether a dependency is runtime or development, and that makes its way through to alerts. I can't say for sure whether the SBT action differentiates. 
   https://github.blog/changelog/2022-06-23-dependabot-alerts-filter-alerts-by-the-scope-of-the-dependency-runtime-and-development/


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] stevedlawrence commented on a diff in pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

stevedlawrence commented on code in PR #830:
URL: https://github.com/apache/daffodil/pull/830#discussion_r948245400


##########
.github/workflows/dependency-scan.yml:
##########
@@ -0,0 +1,29 @@
+name: Dependency scan
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]

Review Comment:
   Do we want this to run on pull requests? Seems like we would only want it to run when things are actually pushed to main? Someone adding a new dependency to a pull request shouldn't change the GitHub dependency graph.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] tuxji commented on pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

tuxji commented on PR #830:
URL: https://github.com/apache/daffodil/pull/830#issuecomment-1219800951

   Yep, I just deleted the branch.  I had clicked a Revert button to see what would happen and had changed my mind when I saw it would take another commit to revert the previous commit.  Thanks for alerting me that new branch was still around.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] stevedlawrence commented on pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

stevedlawrence commented on PR #830:
URL: https://github.com/apache/daffodil/pull/830#issuecomment-1219790443

   Looks like a `revert-830-main` branch was created to revert this? I don't *think* we need to revert the commit. Once INFRA allows this we should be able to rerun the workflow for that commit and it should pass. So the new branch should be safe to delete, I think?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] tuxji commented on a diff in pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

tuxji commented on code in PR #830:
URL: https://github.com/apache/daffodil/pull/830#discussion_r949099125


##########
.github/workflows/dependency-scan.yml:
##########
@@ -0,0 +1,27 @@
+name: Dependency scan

Review Comment:
   This file fails our Rat audit check.  Please prepend the Apache license before the name:
   
   ```
   # Licensed to the Apache Software Foundation (ASF) under one or more
   # contributor license agreements. See the NOTICE file distributed with
   # this work for additional information regarding copyright ownership.
   # The ASF licenses this file to You under the Apache License, Version 2.0
   # (the "License"); you may not use this file except in compliance with
   # the License. You may obtain a copy of the License at
   #
   # http://www.apache.org/licenses/LICENSE-2.0
   #
   # Unless required by applicable law or agreed to in writing, software
   # distributed under the License is distributed on an "AS IS" BASIS,
   # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   # See the License for the specific language governing permissions and
   # limitations under the License.
   
   name: Dependency Scan
   ```



##########
.github/workflows/dependency-scan.yml:
##########
@@ -0,0 +1,27 @@
+name: Dependency scan
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  push:
+    branches: [ "main" ]
+    
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3

Review Comment:
   We pin our workflows to actions/checkout@v3.0.2 instead of actions/checkout@v3 in order to perform due diligence on every version update.  Besides safeguarding our build security, this lets us become aware of any changes to github actions such as new API that could be useful to us.  Dependabot bumps the version for us so we won't miss updates.



##########
.github/workflows/dependency-scan.yml:
##########
@@ -0,0 +1,27 @@
+name: Dependency scan
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  push:
+    branches: [ "main" ]
+    
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest

Review Comment:
   We pin our workflows to ubuntu-20.04 rather than ubuntu-latest in order to perform due diligence on every version update.  GitHub sends announcements when changing ubuntu-latest to the next version so we won't miss the bump, although we may switch to ubuntu-22.04 sooner without waiting for GitHub.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] tuxji merged pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

tuxji merged PR #830:
URL: https://github.com/apache/daffodil/pull/830


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] jhutchings1 commented on pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

jhutchings1 commented on PR #830:
URL: https://github.com/apache/daffodil/pull/830#issuecomment-1218335224

   > Unfortunately it seems like Dependabot still doesn't support sbt dependencies, but I guess this would allow it to create alerts? I'm not sure where those alerts would go or how helpful they are, especially since we have Scala Steward to create dependency PRs.
   
   Correct. Since Scala projects usually use dependencies from Maven Central, we've got a database of [advisories](https://github.com/advisories) that can drive alerts. If you'd like to see a preview of the dependency graph that this calculates, you can check out the one in my [fork](https://github.com/jhutchings1/daffodil/network/dependencies). 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] mbeckerle commented on pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

mbeckerle commented on PR #830:
URL: https://github.com/apache/daffodil/pull/830#issuecomment-1218800591

   > > A thought is that the dependency graph does not distinguish between main dependencies and test dependencies. Or I didn't see that at first glance.
   > 
   > The dependency graph supports indicating whether a dependency is runtime or development, and that makes its way through to alerts. I can't say for sure whether the SBT action differentiates. https://github.blog/changelog/2022-06-23-dependabot-alerts-filter-alerts-by-the-scope-of-the-dependency-runtime-and-development/
   
   Super. You are way ahead of me. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil] tuxji commented on pull request #830: Add dependency scanning for the build.sbt

Posted by GitBox <gi...@apache.org>.

tuxji commented on PR #830:
URL: https://github.com/apache/daffodil/pull/830#issuecomment-1219773498

   Oops - got this from CI:
   
   ```
   scalacenter/sbt-dependency-submission@v2.0.1 is not allowed to be used in apache/daffodil. Actions in this workflow must be: within a repository owned by apache, created by GitHub, verified in the GitHub Marketplace, or matching the following: */*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+, AdoptOpenJDK/install-jdk@*, JamesIves/github-pages-deploy-action@5dc1d5a192aeb5ab5b7d5a77b7d36aea4a7f5c92, TobKed/label-when-approved-action@*, actions-cool/issues-helper@*, actions-rs/*, al-cheb/configure-pagefile-action@*, amannn/action-semantic-pull-request@*, apache/*, burrunan/gradle-cache-action@*, bytedeco/javacpp-presets/.github/actions/*, chromaui/action@*, codecov/codecov-action@*, conda-incubator/setup-miniconda@*, container-tools/kind-action@*, container-tools/microshift-action@*, dawidd6/action-download-artifact@*, delaguardo/setup-graalvm@*, docker://jekyll/jekyll:*, docker://pandoc/core:2.9, eps1lon/actions-label-merge-conflict@*, gaurav-nelson/github-action-markdo
 wn...
   ```
   
   I filed an Infra issue [INFRA-23593](https://issues.apache.org/jira/browse/INFRA-23593) to have this action whitelisted.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org