[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [scout-dev] new PRs using StepSecurity
|
- From: Claudio Guglielmo <Claudio.Guglielmo@xxxxxxxxxxxxxxxx>
- Date: Thu, 1 Jun 2023 07:10:57 +0000
- Accept-language: de-CH, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.22.42) smtp.rcpttodomain=eclipse-foundation.org smtp.mailfrom=bsi-software.com; dmarc=bestguesspass action=none header.from=bsi-software.com; dkim=none (message not signed); arc=none (0)
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tfm1KodEYtaWNelffAm4z/DoybhFjjYVZauK/52d4Jw=; b=TOoFUEbIuiYatsnaUUnOlRCYzPOn9J3GtzLeZ1VsXD1gzDPyuOYsGXZ3E7eFQboLPLfgeSetcEdl3ru5SzM5jbu1mD9VQKe8amP/uao6pIMAPoEcYmrhJloWgeSNN14C44nvC4pt2ZxrvgBZtZgRXdx0sHaVDmQyGXhJi5ezeKrCLuubnNu90V0B92ycH2C7oJrPp68lwgRudf5FE1GRkgYmb97PZ6hofdnMYoEbWQUyxhms1BmmMe97+mL8wznZLaxskxknTQLVj/1MdvsrGa04SKmqBi5E8RHa9sXGz3k/rDzDq7fsqo0CIPbVdGGGX7yee7C9jomInxLgYJ/6XA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P6WuXZsDhNO8mC9TTcG0++foEA7+tInAmSQT8q2HDEtEGUSdQagDrFXisP06yBRiF8EF7D51BuKIawCfLG7DA64rT6iTeV3BLo60W/pgBRJF+2LO8Cnu5kK6eAOFs+WcNUjBqdZIrXCFlOL0CzN0LpMeJ6XoK+4uBRlPWMFK9zsLpExghyorEPk/8PQKWVJ1JcGEBfF+RArJEWFZEmQozGvI68SGzwBCZMWshmSlqvJhbQaipAPnUmiLFMtwShSZK8Ijb/q/IDjc21WjHhOwGCwRwZccAGIClQ6iAKekH+zH871s+2t2G5DBi742RnTBYuHJLnjhzsbYpY3mK4Ve3g==
- Delivered-to: scout-dev@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/scout-dev/>
- List-help: <mailto:scout-dev-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/scout-dev>, <mailto:scout-dev-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/scout-dev>, <mailto:scout-dev-request@eclipse.org?subject=unsubscribe>
- Thread-index: AQHZkt6gT1payuoF/Em7ZyGdjbU/bq91hRuQ
- Thread-topic: [scout-dev] new PRs using StepSecurity
Hi Francisco
I accepted your PRs but I realized it is not working as expected. I thought it will only create pull requests for dependencies that have security issues which are fixed in a new version.
But it creates a PR if there is a new version of the dependency available, even if it is a new major version. It even creates false positives for our internal modules (e.g.
https://github.com/eclipse-scout/scout.rt/pull/609). That version bump is just wrong. The bot created 54 (!) PRs for our
https://github.com/eclipse-scout/scout.rt repository.
We are closing the PRs right now since we cannot just update dependencies without testing them thoroughly. We update the dependencies on a regularly basis anyway, so I don’t think we
really need the help of a bot.
Is it possible to configure dependabot that it will work as expected? If not I will have to revert your change.
Thank you
Claudio
Von: scout-dev <scout-dev-bounces@xxxxxxxxxxx>
Im Auftrag von Francisco Perez via scout-dev
Gesendet: Dienstag, 30. Mai 2023 12:08
An: scout-dev@xxxxxxxxxxx
Cc: Francisco Perez <francisco.perez@xxxxxxxxxxxxxxxxxxxxxx>
Betreff: [scout-dev] new PRs using StepSecurity
Hi,
I am Francisco Perez, a member of the Eclipse Foundation security team.
I am writing to you because we have analyzed all the repositories in the GitHub organization
https://github.com/eclipse-scout/ using
Scorecard and we have found
out some improvements could be made.
We will create an issue where we will summarize all the Security Best Practices identified and create PRs to help you with applying those Security Best Practices You may see some
of those PRs coming from StepSecurity as this is a tool we use to help us implement those fixes at
scale..
The PR above will cover some or all of the following best practices:
Please don’t hesitate and reach out if there is something unclear above.
Kind Regards,
Open Source Software Engineer | Eclipse
Foundation
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature