Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Monitor release branches for new security vulnerabilities #317

Open
jmbowman opened this issue Oct 18, 2023 · 6 comments
Open

Monitor release branches for new security vulnerabilities #317

jmbowman opened this issue Oct 18, 2023 · 6 comments
Assignees
Labels
question Further information is requested security Relates to improving to the security posture of the platform
Milestone

Comments

@jmbowman
Copy link
Contributor

jmbowman commented Oct 18, 2023

The main development branches of most/all Open edX repositories currently get Dependabot warnings from GitHub when a security vulnerability is announced that impacts the version in use of any of their dependencies. But this feature currently can't be extended to additional branches, such as the named release branches that we support for 6+ months each; even Microsoft (which now owns GitHub) wants this feature but can't currently do it. So we'll need to use a different security vulnerability scanner for release branches. An incomplete list of candidates:

  • Bolt - free, but only seems to update results on new code pushes? Documentation
  • Snyk - seems very full featured, free open source plan has a cap of 200 "tests" per month
  • Probably many others
@mariajgrimaldi mariajgrimaldi added the question Further information is requested label Oct 24, 2023
@mariajgrimaldi
Copy link
Member

Thanks for the issue! I'll tag our security patcher @magajh. Can we contact the security WG so they can chime in the conversation?

@magajh
Copy link

magajh commented Oct 25, 2023

Using an external tool to monitor security vulnerabilities seems to be the best alternative to keep all dependencies updated with the latest security patches. I'll look into and compare the different security vulnerability scanners so we can make a better decision on which one would be the best fit for us.

I'm going to self-assign this to keep things moving. Thanks @jmbowman @mariajgrimaldi!

@magajh magajh added the security Relates to improving to the security posture of the platform label Oct 25, 2023
@magajh magajh self-assigned this Oct 25, 2023
@magajh
Copy link

magajh commented Oct 25, 2023

@terra-conq
Copy link

I have worked extensively in SCA and SAST can help in this

@mariajgrimaldi
Copy link
Member

Hi @terra-conq, thank you so much! So you can help, you can reach out to the security WG on Slack -- or how you prefer: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3624108053/Security+Working+Group

@mariajgrimaldi
Copy link
Member

Hi, @magajh. Could you provide an update on this issue? I'm not sure whether this was done or it's still a work in progress.

@mariajgrimaldi mariajgrimaldi modified the milestones: Redwood.3, Sumac.2 Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested security Relates to improving to the security posture of the platform
Projects
Status: Backlog
Status: In Progress
Development

No branches or pull requests

4 participants