This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Automated security and update routine before every release #8815
Comments
hpvd
added
the
type/enhancement
hpvd
changed the title
|
here you can find a blog post with the anoucement of the availability of automatic code scanning for security |
|
@hpvd thank you for reporting this. We will consider it in our future releases. |
|
A new GitHub feature which may also lead to some kind of "security routine" when merging pull requests, was presented at GitHub Universe 2020: "Dependency Review" :
https://github.blog/2020-12-08-new-from-universe-2020-dark-mode-github-sponsors-for-companies-and-more/ |
|
These points could possibly be classified as "low-hanging fruits" in the field of security (at least if they work as expected and there are not to many false positive findings introduced...) |
|
as a last point to this topic: it may be also interesting to give GitHub's "super linter" a try and let it check the hole project on every release or on every pull via GitHub action... |
|
We use dependency-check-maven Maven Plugin to automate CVE checks against updated DB on used dependencies within build process. It is pretty straightforward. |
|
Cool @fmiguelez Would you please push a PR to enable this great plugin? Also, this should be check in the CI to avoid introduce some known CVE issues. |
|
Hello guys We try to certify the pulsar according the few security standards . It's "bit" makes our effort to certify the pulsar for the highly secured production environment to be complicated 😞 On the other hand , there is the opened issue about automated security scanning. Any change to move this issue forward or at least t upgrade the outdated libraries with high risk? |
|
many thanks @alexku7 for describing your findings and view in details including the concrete consequence. |
|
-> Could there be a better advertising for pulsars' awesome quality, than being used directly by people and companies working in highly secured fields ?? :-) |
|
Yeah these code / dependency / image scanners are pretty harsh but several of our own customers want security reports of all dependent software so any effort to minimize these issues in Pulsar - especially if it's in a maintenance release e.g. |
|
Of course we have also seen, the major work in fields of security and code quality in the past months
-> this is pretty awesome, and important. |
|
@alexku7 would be happy to see the statistics when scanning upcoming v2.8 with same tool (white source)! |
Sure :) no problem |
|
There's now #10855 to add a scheduled OWASP Dependency Check to scan library vulnerabilities once per day. |
|
@lhotari this is great news! Thanks so much! |
|
awesome ;-) |
|
The results of the scheduled OWASP Dependency Check scans can be found here: |
|
just another topic for optimizing code quality and security further: -> with the latest possibilities of integration CI process, this is now relatively easy to use but powerful |
|
just learned about the github's dependency graph.
dependency graph for pulsar: https://github.com/apache/pulsar/network/dependencies |
|
just to have a first impression without having to leave this issue:
|
|
With this high number of dependencies of all kinds and different ages => Is it enough (or a least the best thing we could do at this time) -> a) Or is there a big risk of sacrificing security, performance and bug-freeness we didn't see yet -> b) How can we be sure that every dependency, introduced several years ago, is still in use / really needed in todays pulsar? |
|
just to show numbers are constantly growing (yes this is no statistic ;-) only good to transport the feeling...)
|
Very good questions. @nicoloboschi and @dlg99 from DataStax have been contributing many changes to address vulnerable library versions. DataStax has bought a license for Sonatype IQ Server and scans also Apache Pulsar frequently. Another aspect in the Software Supply Chain security is the build reproducibility: are the built artifacts built from the source code that it claims to be built from. For Java projects, there's more information in https://reproducible-builds.org/docs/jvm/ and https://github.com/jvm-repo-rebuild/reproducible-central . It would be good to get Apache Pulsar as part of the Reproducible Builds program. Reproducible Builds have been discussed a few times. @hpvd Since the mailing list is the main channel for making major decisions in Apache projects, it would be useful to bring up your improvement suggestions to the Apache Pulsar community. dev@pulsar.apache.org would be a good list to have this discussion. Mailing list details are at https://pulsar.apache.org/en/contact/ . |
|
many thanks for your answer, additional details and advice! Will bring some points to the list within the next weeks... btw: does anybody look on pulsar with a tool like jarchitect to keep a good overview over dependencies? dependency graphs etc
edit: deactivated active link |
|
another interesting topic in this field of automatic security scanning: |
|
just to visualize/summarize the current state: okay, a (very) few less if
for details see #18348 |
|
Moved to the open-ended discussion forum. I suggest you directly send patches and the maintainers will be glad to review them. Keep requesting helps little: Open-source software grows with contributions. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Is your enhancement request related to a problem? Please describe.
To get the most out of every release regarding security, performance and "bug-freeness" it may be a good idea to make reasonable updating of dependencies a good routine before every release.
Describe the solution you'd like
what would help (if not already used):
-> if possible a bot automatically should open an issue to fix these findings / update the dependencies as soon as fixes are available
-> before every release one should look at this table and update all (most) dependencies to their latest version (or note a hint why this is not possible at this time (e.g. incompatible changes)
-> of course one could automate open update issues as well, but these may result for too many intermediate steps between releases
The text was updated successfully, but these errors were encountered: