You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@camel.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2022/02/03 12:02:38 UTC
Dependabot alerts
Hi,
I've worked with INFRA to enable GitHub dependabot alerts for various
Apache projects. The idea is that the GitHub committers for a given
project can have access to the page on GitHub (for example for CXF:
https://github.com/apache/cxf/security/dependabot) which shows the
list of dependencies for the project with known CVEs.
I plan to do the same for Camel on these repos:
https://github.com/apache/camel
https://github.com/apache/camel-karaf
https://github.com/apache/camel-quarkus
https://github.com/apache/camel-spring-boot
Any objections or anything I'm missing? If not I'll proceed with enabling it.
Colm.
Re: Dependabot alerts
Posted by David Jencks <da...@gmail.com>.
I don’t see an obvious upgrade path to ameliorate these docs/* “security” problems (I upped all the versions I could in package.json with no useful effect), but:
- I’ve been planning on completely eliminating all the copying with the gulp file (where the dependencies come from) and having Antora find the originals instead. This is going to require a camel-specific Antora extension (first one!) but should not be terribly difficult. We then wouldn’t have a yarn.lock :-) This may take a while.
- I don’t think there’s actually any security risk to running a script to symlink some files in the git repo, and committing the result.
I’d appreciate Zoran’s perspective, I am by no means a security expert.
David Jencks
> On Feb 3, 2022, at 1:23 PM, Claus Ibsen <cl...@gmail.com> wrote:
>
> Hi
>
> The most of the remainder alerts are in the docs folder about yarn.
>
> Wonder if David or Zoran would take a look?
>
> On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>>
>> Hi,
>>
>> I've worked with INFRA to enable GitHub dependabot alerts for various
>> Apache projects. The idea is that the GitHub committers for a given
>> project can have access to the page on GitHub (for example for CXF:
>> https://github.com/apache/cxf/security/dependabot) which shows the
>> list of dependencies for the project with known CVEs.
>>
>> I plan to do the same for Camel on these repos:
>>
>> https://github.com/apache/camel
>> https://github.com/apache/camel-karaf
>> https://github.com/apache/camel-quarkus
>> https://github.com/apache/camel-spring-boot
>>
>> Any objections or anything I'm missing? If not I'll proceed with enabling it.
>>
>> Colm.
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2
Re: Dependabot alerts
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
The most of the remainder alerts are in the docs folder about yarn.
Wonder if David or Zoran would take a look?
On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>
> Hi,
>
> I've worked with INFRA to enable GitHub dependabot alerts for various
> Apache projects. The idea is that the GitHub committers for a given
> project can have access to the page on GitHub (for example for CXF:
> https://github.com/apache/cxf/security/dependabot) which shows the
> list of dependencies for the project with known CVEs.
>
> I plan to do the same for Camel on these repos:
>
> https://github.com/apache/camel
> https://github.com/apache/camel-karaf
> https://github.com/apache/camel-quarkus
> https://github.com/apache/camel-spring-boot
>
> Any objections or anything I'm missing? If not I'll proceed with enabling it.
>
> Colm.
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2
Re: Dependabot alerts
Posted by Otavio Rodolfo Piske <an...@gmail.com>.
Hi,
Nice one, Colm! Thanks!
On Thu, Feb 3, 2022 at 6:26 PM Claus Ibsen <cl...@gmail.com> wrote:
> Hi
>
> This is good to see, you also get a "found X vulnerabilities" when you
> push commits to branches.
>
Oh, this is really cool
>
> And btw. there is also the sonarcloud reports or what the name was
> that Otavio help enable.
>
> I assume we have a page in the docs where we can have links to those
> various online reporting tools.
>
Yes. I added a section about automated code analysis on the contribution
guide [1] which has a link to our SonarCloud instance [2] (it's a pity we
cannot have - yet - automated code analysis on the PRs ... but I don't want
to go off-topic here).
I think we could add a note about the automated analysis of security
vulnerabilities there too.
1. https://camel.apache.org/community/contributing/#automated-code-analysis
2. https://sonarcloud.io/project/overview?id=apache_camel
Kind regards
>
> On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org>
> wrote:
> >
> > Hi,
> >
> > I've worked with INFRA to enable GitHub dependabot alerts for various
> > Apache projects. The idea is that the GitHub committers for a given
> > project can have access to the page on GitHub (for example for CXF:
> > https://github.com/apache/cxf/security/dependabot) which shows the
> > list of dependencies for the project with known CVEs.
> >
> > I plan to do the same for Camel on these repos:
> >
> > https://github.com/apache/camel
> > https://github.com/apache/camel-karaf
> > https://github.com/apache/camel-quarkus
> > https://github.com/apache/camel-spring-boot
> >
> > Any objections or anything I'm missing? If not I'll proceed with
> enabling it.
> >
> > Colm.
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2
>
--
Otavio R. Piske
http://orpiske.net
Re: Dependabot alerts
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
This is good to see, you also get a "found X vulnerabilities" when you
push commits to branches.
And btw. there is also the sonarcloud reports or what the name was
that Otavio help enable.
I assume we have a page in the docs where we can have links to those
various online reporting tools.
On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>
> Hi,
>
> I've worked with INFRA to enable GitHub dependabot alerts for various
> Apache projects. The idea is that the GitHub committers for a given
> project can have access to the page on GitHub (for example for CXF:
> https://github.com/apache/cxf/security/dependabot) which shows the
> list of dependencies for the project with known CVEs.
>
> I plan to do the same for Camel on these repos:
>
> https://github.com/apache/camel
> https://github.com/apache/camel-karaf
> https://github.com/apache/camel-quarkus
> https://github.com/apache/camel-spring-boot
>
> Any objections or anything I'm missing? If not I'll proceed with enabling it.
>
> Colm.
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2
Re: Dependabot alerts
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes, thanks to INFRA for the fast fix. There are a couple of issues
reported at https://github.com/apache/camel-spring-boot/security/dependabot
as well.
Colm.
On Thu, Feb 3, 2022 at 4:19 PM Karen Lease <ka...@gmail.com> wrote:
>
> That was fast, I already am able to see the camel page:
> https://github.com/apache/camel/security/dependabot
>
> Thanks Colm.
>
> On 03/02/2022 15:07, Colm O hEigeartaigh wrote:
> > https://issues.apache.org/jira/browse/INFRA-22830
> >
> > Colm.
> >
> > On Thu, Feb 3, 2022 at 2:06 PM Colm O hEigeartaigh <co...@apache.org> wrote:
> >>
> >> Yes exactly, you can't see the CXF alerts (actually they are all
> >> fixed) because you aren't a committer there.
> >>
> >> Colm.
> >>
> >> On Thu, Feb 3, 2022 at 1:31 PM Otavio Rodolfo Piske
> >> <an...@gmail.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> Thanks for looking into this!
> >>>
> >>> +1 from me. I also couldn't see the ones from CXF, but I presume we should expect to see a report like this [1], right?
> >>>
> >>> 1. https://nftb.saturdaymp.com/today-i-learned-about-githubs-dependabot/
> >>>
> >>> On Thu, Feb 3, 2022 at 1:31 PM Zoran Regvart <zo...@regvart.com> wrote:
> >>>>
> >>>> Hi, Colm
> >>>>
> >>>> On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> I've worked with INFRA to enable GitHub dependabot alerts for various
> >>>>> Apache projects. The idea is that the GitHub committers for a given
> >>>>> project can have access to the page on GitHub (for example for CXF:
> >>>>> https://github.com/apache/cxf/security/dependabot) which shows the
> >>>>> list of dependencies for the project with known CVEs.
> >>>>>
> >>>>> I plan to do the same for Camel on these repos:
> >>>>>
> >>>>> https://github.com/apache/camel
> >>>>> https://github.com/apache/camel-karaf
> >>>>> https://github.com/apache/camel-quarkus
> >>>>> https://github.com/apache/camel-spring-boot
> >>>>>
> >>>>> Any objections or anything I'm missing? If not I'll proceed with enabling it.
> >>>>
> >>>> +1 from me, thanks Colm for looking into it, I keep seeing those on
> >>>> push, but I can't access the /security/dependabot page so this will be
> >>>> very helpful.
> >>>>
> >>>> zoran
> >>>> --
> >>>> Zoran Regvart
> >>>
> >>>
> >>>
> >>> --
> >>> Otavio R. Piske
> >>> http://orpiske.net
Re: Dependabot alerts
Posted by Karen Lease <ka...@gmail.com>.
That was fast, I already am able to see the camel page:
https://github.com/apache/camel/security/dependabot
Thanks Colm.
On 03/02/2022 15:07, Colm O hEigeartaigh wrote:
> https://issues.apache.org/jira/browse/INFRA-22830
>
> Colm.
>
> On Thu, Feb 3, 2022 at 2:06 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>>
>> Yes exactly, you can't see the CXF alerts (actually they are all
>> fixed) because you aren't a committer there.
>>
>> Colm.
>>
>> On Thu, Feb 3, 2022 at 1:31 PM Otavio Rodolfo Piske
>> <an...@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> Thanks for looking into this!
>>>
>>> +1 from me. I also couldn't see the ones from CXF, but I presume we should expect to see a report like this [1], right?
>>>
>>> 1. https://nftb.saturdaymp.com/today-i-learned-about-githubs-dependabot/
>>>
>>> On Thu, Feb 3, 2022 at 1:31 PM Zoran Regvart <zo...@regvart.com> wrote:
>>>>
>>>> Hi, Colm
>>>>
>>>> On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I've worked with INFRA to enable GitHub dependabot alerts for various
>>>>> Apache projects. The idea is that the GitHub committers for a given
>>>>> project can have access to the page on GitHub (for example for CXF:
>>>>> https://github.com/apache/cxf/security/dependabot) which shows the
>>>>> list of dependencies for the project with known CVEs.
>>>>>
>>>>> I plan to do the same for Camel on these repos:
>>>>>
>>>>> https://github.com/apache/camel
>>>>> https://github.com/apache/camel-karaf
>>>>> https://github.com/apache/camel-quarkus
>>>>> https://github.com/apache/camel-spring-boot
>>>>>
>>>>> Any objections or anything I'm missing? If not I'll proceed with enabling it.
>>>>
>>>> +1 from me, thanks Colm for looking into it, I keep seeing those on
>>>> push, but I can't access the /security/dependabot page so this will be
>>>> very helpful.
>>>>
>>>> zoran
>>>> --
>>>> Zoran Regvart
>>>
>>>
>>>
>>> --
>>> Otavio R. Piske
>>> http://orpiske.net
Re: Dependabot alerts
Posted by Colm O hEigeartaigh <co...@apache.org>.
https://issues.apache.org/jira/browse/INFRA-22830
Colm.
On Thu, Feb 3, 2022 at 2:06 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>
> Yes exactly, you can't see the CXF alerts (actually they are all
> fixed) because you aren't a committer there.
>
> Colm.
>
> On Thu, Feb 3, 2022 at 1:31 PM Otavio Rodolfo Piske
> <an...@gmail.com> wrote:
> >
> > Hi,
> >
> > Thanks for looking into this!
> >
> > +1 from me. I also couldn't see the ones from CXF, but I presume we should expect to see a report like this [1], right?
> >
> > 1. https://nftb.saturdaymp.com/today-i-learned-about-githubs-dependabot/
> >
> > On Thu, Feb 3, 2022 at 1:31 PM Zoran Regvart <zo...@regvart.com> wrote:
> >>
> >> Hi, Colm
> >>
> >> On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
> >> >
> >> > Hi,
> >> >
> >> > I've worked with INFRA to enable GitHub dependabot alerts for various
> >> > Apache projects. The idea is that the GitHub committers for a given
> >> > project can have access to the page on GitHub (for example for CXF:
> >> > https://github.com/apache/cxf/security/dependabot) which shows the
> >> > list of dependencies for the project with known CVEs.
> >> >
> >> > I plan to do the same for Camel on these repos:
> >> >
> >> > https://github.com/apache/camel
> >> > https://github.com/apache/camel-karaf
> >> > https://github.com/apache/camel-quarkus
> >> > https://github.com/apache/camel-spring-boot
> >> >
> >> > Any objections or anything I'm missing? If not I'll proceed with enabling it.
> >>
> >> +1 from me, thanks Colm for looking into it, I keep seeing those on
> >> push, but I can't access the /security/dependabot page so this will be
> >> very helpful.
> >>
> >> zoran
> >> --
> >> Zoran Regvart
> >
> >
> >
> > --
> > Otavio R. Piske
> > http://orpiske.net
Re: Dependabot alerts
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes exactly, you can't see the CXF alerts (actually they are all
fixed) because you aren't a committer there.
Colm.
On Thu, Feb 3, 2022 at 1:31 PM Otavio Rodolfo Piske
<an...@gmail.com> wrote:
>
> Hi,
>
> Thanks for looking into this!
>
> +1 from me. I also couldn't see the ones from CXF, but I presume we should expect to see a report like this [1], right?
>
> 1. https://nftb.saturdaymp.com/today-i-learned-about-githubs-dependabot/
>
> On Thu, Feb 3, 2022 at 1:31 PM Zoran Regvart <zo...@regvart.com> wrote:
>>
>> Hi, Colm
>>
>> On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>> >
>> > Hi,
>> >
>> > I've worked with INFRA to enable GitHub dependabot alerts for various
>> > Apache projects. The idea is that the GitHub committers for a given
>> > project can have access to the page on GitHub (for example for CXF:
>> > https://github.com/apache/cxf/security/dependabot) which shows the
>> > list of dependencies for the project with known CVEs.
>> >
>> > I plan to do the same for Camel on these repos:
>> >
>> > https://github.com/apache/camel
>> > https://github.com/apache/camel-karaf
>> > https://github.com/apache/camel-quarkus
>> > https://github.com/apache/camel-spring-boot
>> >
>> > Any objections or anything I'm missing? If not I'll proceed with enabling it.
>>
>> +1 from me, thanks Colm for looking into it, I keep seeing those on
>> push, but I can't access the /security/dependabot page so this will be
>> very helpful.
>>
>> zoran
>> --
>> Zoran Regvart
>
>
>
> --
> Otavio R. Piske
> http://orpiske.net
Re: Dependabot alerts
Posted by Otavio Rodolfo Piske <an...@gmail.com>.
Hi,
Thanks for looking into this!
+1 from me. I also couldn't see the ones from CXF, but I presume we should
expect to see a report like this [1], right?
1. https://nftb.saturdaymp.com/today-i-learned-about-githubs-dependabot/
On Thu, Feb 3, 2022 at 1:31 PM Zoran Regvart <zo...@regvart.com> wrote:
> Hi, Colm
>
> On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org>
> wrote:
> >
> > Hi,
> >
> > I've worked with INFRA to enable GitHub dependabot alerts for various
> > Apache projects. The idea is that the GitHub committers for a given
> > project can have access to the page on GitHub (for example for CXF:
> > https://github.com/apache/cxf/security/dependabot) which shows the
> > list of dependencies for the project with known CVEs.
> >
> > I plan to do the same for Camel on these repos:
> >
> > https://github.com/apache/camel
> > https://github.com/apache/camel-karaf
> > https://github.com/apache/camel-quarkus
> > https://github.com/apache/camel-spring-boot
> >
> > Any objections or anything I'm missing? If not I'll proceed with
> enabling it.
>
> +1 from me, thanks Colm for looking into it, I keep seeing those on
> push, but I can't access the /security/dependabot page so this will be
> very helpful.
>
> zoran
> --
> Zoran Regvart
>
--
Otavio R. Piske
http://orpiske.net
Re: Dependabot alerts
Posted by Zoran Regvart <zo...@regvart.com>.
Hi, Colm
On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <co...@apache.org> wrote:
>
> Hi,
>
> I've worked with INFRA to enable GitHub dependabot alerts for various
> Apache projects. The idea is that the GitHub committers for a given
> project can have access to the page on GitHub (for example for CXF:
> https://github.com/apache/cxf/security/dependabot) which shows the
> list of dependencies for the project with known CVEs.
>
> I plan to do the same for Camel on these repos:
>
> https://github.com/apache/camel
> https://github.com/apache/camel-karaf
> https://github.com/apache/camel-quarkus
> https://github.com/apache/camel-spring-boot
>
> Any objections or anything I'm missing? If not I'll proceed with enabling it.
+1 from me, thanks Colm for looking into it, I keep seeing those on
push, but I can't access the /security/dependabot page so this will be
very helpful.
zoran
--
Zoran Regvart