-
Notifications
You must be signed in to change notification settings - Fork 3k
otp scan PRs for vulnerabilities #9790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: maint
Are you sure you want to change the base?
otp scan PRs for vulnerabilities #9790
Conversation
CT Test Results 6 files 205 suites 2h 4m 50s ⏱️ Results for commit 9c412cb. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts// Erlang/OTP Github Action Bot |
From what I can tell only our github actions dependencies are scanned by this right now, is that correct? Will it in the future be able to use the information in the sbom created in the job you are adding this step to? or is this check only for github actions? |
I think you are right @garazdawi Summary
I have tested that it works by manually hand-picking previous commit that fixed a known vulnerability reported to on github repos. Information sent
Result
|
86a4478
to
c10c255
Compare
The vendor vulnerability scanning now fails because I changed the vendor.json |
4f13738
to
f74a0f5
Compare
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
e69d4c5
to
b2ce706
Compare
- perform vulnerability analysis on a pull requests basis and on a scheduled basis. - adds the option `osv-scan` to `otp-compliance.es` to submit requests to OSV API. - adds hard-coded VEX filter to ignore CVEs for which OTP is not vulnerable, using the last three releases that we maintain. - creation of reusable Github workflow to allow direct calls (workflow_call) and gh triggering events (workflow_dispatch).
ed2b82b
to
ea6dfb2
Compare
b50cb4e
to
007ae7f
Compare
007ae7f
to
982b107
Compare
I have updated the scripts and this is the end result, using OSV for vulnerability scanning.
|
tests that the downloadLocation of vendor dependencies is compatible with vulnerability scanning of OSV. OSV scanner can detect and track vulnerabilities in the Github ecosystem, and we enforce that all vendor dependencies are part of Github or we manually add an exemption for those that are outside of GH. Vendor dependencies do not change often, so this manual exemption process prevents that we break OSV scanner from looking into the wrong repo, which would mean missing possible vulnerabilities.
download gh alerts for otp-compliance to download those existing issues and ignore them when the PR is scan for vulnerability issues. those issues should still be sent to GH because otherwise GH considers them fixed. in the Alerts section from GH, we can mark them as fixed.
GH should fix actions/dependency-review-action#923 for us to get alerts about dependencies.