You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@streampark.apache.org by GitBox <gi...@apache.org> on 2022/09/08 12:26:23 UTC

[GitHub] [incubator-streampark] pjfanning opened a new issue, #1554: [Feature] enable dependabot security checks

pjfanning opened a new issue, #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554

   ### Search before asking
   
   - [X] I had searched in the [feature](https://github.com/apache/streampark/issues?q=is%3Aissue+label%3A%22Feature%22) and found no similar feature requirement.
   
   
   ### Description
   
   You can just enable Dependabot to autogenerate PRs for jars that have security issues. There is another mode where Dependabot generates PRs for all new releases of dependenncies. The latter can be noisy but just enabling it for security issues would be very useful.
   
   I recently raised https://github.com/apache/incubator-streampark/pull/1548 (and a few others) and I wouldn't have had to if Dependabot was enabled.
   
   https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security
   
   Dependabot can also scan your Github Actions for pipeline issues - https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot 
   
   ### Usage Scenario
   
   _No response_
   
   ### Related issues
   
   _No response_
   
   ### Are you willing to submit a PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@streampark.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] tisonkun commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

tisonkun commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1242067141

   @pjfanning It's possible that it requires admin permission, while all committers have only write permission.
   
   You can file a JIRA issue on [INFRA](https://issues.apache.org/jira/projects/INFRA) project. For example, https://issues.apache.org/jira/browse/INFRA-23432. Simply copying the description here may work.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] pjfanning commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1250234747

   @tisonkun I'm not part of the Streampark PMC, it would be better if someone from the PMC raised the INFRA issue. https://issues.apache.org/jira/browse/INFRA-23683 was one I raised for another ASF project (but I'm a PMC member of that project).
   
   For instance, snakeyaml has another new release (1.32) that has another similar security fix.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] tisonkun commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

tisonkun commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1242057152

   <img width="1243" alt="image" src="https://user-images.githubusercontent.com/18818196/189375452-c01bf0b2-62b0-4790-99e7-6c88bec43c1a.png">
   
   From [the page](https://github.com/apache/incubator-streampark/security) it seems all enabled. Closed as done.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] tisonkun commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

tisonkun commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1241401164

   @wolfboys generally we don't assign others except they ask for it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] wolfboys commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

wolfboys commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1242061741

   > @wolfboys generally we don't assign others except they ask for it.
   
   oh sorry. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] pjfanning commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1242062867

   Not sure why the 'Dependabot alerts' option does not appear - like the one in this image:
   <img width="1351" alt="Screenshot 2022-09-09 at 15 41 38" src="https://user-images.githubusercontent.com/11783444/189376551-68f9707f-a854-4c6d-b4ad-bf34c279f2f5.png">
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] pjfanning commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1242047425

   This is just a couple of clicks in the Security tab - but only project members can see these options.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] tisonkun commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

tisonkun commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1250235097

   > it would be better if someone from the PMC raised the INFRA issue
   
   This is not a requirement. Whether or not the proposer is a PMC member doesn't matter. But we do need to have a (lazy) consensus.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] wolfboys commented on issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

wolfboys commented on issue #1554:
URL: https://github.com/apache/incubator-streampark/issues/1554#issuecomment-1242059063

   > This is just a couple of clicks in the Security tab - but only project members can see these options.
   
   I can't see the "dependbot" in the Security tab, maybe should apply by email? 
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] tisonkun closed issue #1554: [Feature] enable dependabot security checks

Posted by GitBox <gi...@apache.org>.

tisonkun closed issue #1554: [Feature] enable dependabot security checks
URL: https://github.com/apache/incubator-streampark/issues/1554


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org