Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create dependency-review.yml #850

Merged
merged 7 commits into from Jan 6, 2024
Merged

Create dependency-review.yml #850

merged 7 commits into from Jan 6, 2024

Conversation

auvipy
Copy link
Contributor

@auvipy auvipy commented May 18, 2023

No description provided.

@JonathanHuot JonathanHuot added this to the 3.3.0 milestone Aug 24, 2023
@cclauss
Copy link
Contributor

cclauss commented Aug 24, 2023
edited

I have been trying this out on several Python projects and am unable to get this Action to fail. lint-python is currently running https://pypi.org/project/safety which fails on known vulnerabilities (like earlier versions of setuptools in #854).

Is there a Python dependency that we could add to this project that will prove that this Action can actually fail?

@auvipy auvipy marked this pull request as ready for review August 27, 2023 06:45
auvipy
auvipy commented Aug 27, 2023
View reviewed changes
Copy link
Contributor Author

@auvipy auvipy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can merge this as Dependency Review / dependency-review (pull_request) is passing and working

@cclauss
Copy link
Contributor

cclauss commented Aug 27, 2023
edited

we can merge this as Dependency Review / dependency-review (pull_request) is passing

The failing lint_python test does not worry me. It fails because safety found the CVE-2022-40897 vulnerability in setuptools which was fixed in:

Why does dependency-review not find this CVE-2022-40897 vulnerability?

As stated above, my worry is that there is no proof that dependency-review can ever fail on a Python project.

@JonathanHuot
Copy link
Member

When the setuptools version is added in requirements.txt, it is detecting it correctly and merging is blocked.
capture

Note that different lang has different checks, according to https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems

I suppose it becomes trickier when dependencies are installed in GitHub Actions without versions, as the Dependency API won't have a way to check changes..

I think we're good to proceed even tho it seems a duplicate of safety check which is also running it.

JonathanHuot and others added 3 commits December 22, 2023 23:32
@JonathanHuot
Revert "Trigger security check failure"
7e3462c 
This reverts commit e4ffc08.
@JonathanHuot
Revert "Add dependency with CVE to trigger security check"
dbda1ea 
This reverts commit dcbcbef.
@JonathanHuot @cclauss
Bump actions/checkout
b80f6b5 
Co-authored-by: Christian Clauss <cclauss@me.com>
@JonathanHuot JonathanHuot merged commit 2057735 into master Jan 6, 2024
7 of 12 checks passed
@cclauss
Copy link
Contributor

cclauss commented Jan 6, 2024

#871 fixes some of the remaining issues.

@auvipy auvipy deleted the deprev branch January 9, 2024 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cclauss cclauss cclauss left review comments

@JonathanHuot JonathanHuot Awaiting requested review from JonathanHuot

Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
3.3.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@auvipy @cclauss @JonathanHuot