Versions Compared

Old Version 1

changes.mady.by.user Nick Grosenbacher

Saved on

compared with

New Version Current

changes.mady.by.user Kevin Boske

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document will address

Jira Legacy
serverSystem JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverIdba6fb084-9827-3160-8067-8ac7470f78b2
keyPLFM-6419
.

Table of Contents
minLevel1
maxLevel7

Summary of Issue

GitHub provides the “Dependabot” service on our repositories, where a project’s dependencies will be scanned to see if any dependencies are vulnerable to known security issues. If a security issue is discovered, engineers with sufficient permissions will see an alert on the repository page, and may receive an email notification. If possible, Dependabot may also create a pull request.

Because the alerts are automated and based only on a project dependency tree, a given security issue may not affect our products for various reasons. For example, we may not using a vulnerable feature, or we may only pass restricted input to a dependency which has a vulnerability which can only be exploited by unrestricted input. Therefore, assessing the true risk of a security alert may require an investigation by an engineer to determine an appropriate response.

I’ve tried to collect current (Feb. 2022) stats on Dependabot in our repos, but this information may be incomplete:

Lref gdrive file
urlhttps://docs.google.com/spreadsheets/d/1t6vTv228FKZmKys8MU-x-Wr3envc7gnInCdVP8ed1MQ/edit#gid=0

Considerations

  • We have many active repositories, so it would be more valuable to see vulnerability alerts for multiple projects at once.

...

  • We would like to integrate the strategy into our existing SDLC cadences (e.g. addressing vulnerabilities at the weekly Stack Release Meeting), rather than sending additional notifications that could just be ignored.

  • It would be valuable for our approach to be easily adopted by other teams at Sage. Most of the technical approaches below could be easily modified to look at a different collection of repositories or specific GitHub team.

Proposals

I’ve proposed a few different options and summarized what I view to be the work required to accomplish the proposal. These are not detailed estimates and are subject to change.

...

  • GitHub App + granted permissions on Sage-Bionetworks GitHub Organization

  • Code to fetch and process vulnerability data on GitHub, create Jira issues

(https://blog.developer.atlassian.com/creating-a-jira-cloud-issue-in-a-single-rest-call/#:~:text=1 call is all it takes to create,through using Basic Auth with an API token.)

Option 4: Manually Inspect Alerts at Regular Cadence

...