Use GitHub SecurityVulnerabilities regardless of platform #6562
Comments
JamieMagee
added
the
priority-4-low
|
@rarkins as suggested in #8126: I wanted to give this feature a try, first I wanted to evaluate if that was easy to implement or not as I wasn't familiar at all with the Renovate code / workflow. The way it works currently is (as I understand it):
ProposalAn option would be to add the ability to configure a vulnerability-source that is not tightly coupled with a platform like it's the case today with GitHub. Platform-specific solution would still be available (GitLab can be added in the future for paying customers as their APIs are not available for free plans) but we'd have the the ability to add a source that is platform-agnostic like.
The avoid putting too much pressure on the vulnerability-source-API, the call would only happen at the end of the dependencies-extraction process for each package that needs to be updated (after all the constraints are applied). Limitations
Let me know if you have a better idea on how to implement that. |
|
After thinking a bit about this, with my current Renovate setup in mind (self-hosted, 50 repo, multiple languages); I don't think that doing and extra call per dependency to upgrade, and only for the supported package ecosystems would be considered abusing that much Github's APIs. What do you think @rarkins and @JamieMagee did you had anything else in mind ? |
|
Sorry, but I prefer still not to integrate this approach directly into Renovate. If you only take direct dependencies into account as is suggested (i.e. those which Renovate currently extracts) then you're going to miss the 80-90% of vulnerabilities that are transitive. Before too long someone would claim this is a design fault and want to merge a PR which also checks transitive dependencies, and at that point you'd need up to 10x the API queries to provide the equivalent of what you get with GitHub's native vulnerability scanning. An additional point: Renovate is already the biggest external consumer of the GitHub API, yet the API team have been great about it. If we were to increase our API consumption directly for the purposes of letting people on competing platforms utilize GitHub's vulnerability list, I think it would stretch the friendship too far. Until/unless GitHub add an API allowing for the bulk scanning of dependencies and it's clear that utilizing this for competing platforms is ok, I think we should defer this. |
rarkins
added
the
status:requirements
|
Here's an npm library I started writing to solve this issue. I haven't gotten around to integrating it with Renovate yet: https://github.com/JamieMagee/ghsa-offline |
|
@JamieMagee any plans to do it ? Or looking for help ? |
|
@xens I would like to do it, but I don't have time right now. If you're interested in implementing it soon, I can provide support. |
|
Yesterday's announcement makes this much easier to do now: https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/ |
|
CVE support based on GitHub's advisory database would indeed be amazing :) |
JamieMagee
added
status:in-progress
|
After some further investigation, I am going to use Open Source Vulnerabilities' API instead. It's supported by Google and the Open Source Security Foundation, and collates vulnerability information from GitHub's security advisory database (as well as many other sources). The API is rate limited to 100 requests/minute (per IP address), but the data is updated once per day, so we can heavily cache it. Sources: |
JamieMagee
added
priority-3-medium
|
Are you sure? I'd thought that cloning and parsing the GitHub repo at start of a global run would have worked pretty well |
|
I wanted to go with Open Source Vulnerabilities (OSV) over GitHub Security Advisories (GHSA) because OSV is a superset of GHSA. Mapping the OSV schema to a relational database doesn't really make sense. SQLite can do document database-style queries, but not easily. Deferring all this to the OSV API makes this easier, at the cost of more API calls. I'll prototype an API client for now, and come back to using SQLite as a document database if it doesn't scale well. |
|
I found an offline document database1, with a mongo-like interface that I've based my experiment around. I've renamed my To anyone following this issue, this will not be a straightforward or quick change, because our current vulnerabilities implementation is very tightly coupled to the GitHub API. My approach will be to feature flag the functionality behind a (hidden) configuration value so I can work in parallel and not break any existing functionality. Footnotes |
|
@JamieMagee any updates here? We're very interested in this -- is there any other ways we can help here (besides google/osv.dev#321 which is wrapping up)? |
|
Thanks @oliverchang. I was out sick last week, so haven't had a chance to check out your new bulk API yet, but will do soon. |
|
@JamieMagee Any updates regarding this feature? Will it be possible to receive vulnerability alerts on a self-hosted GitLab instance in a similar way as it is possible today on GitHub once this feature is merged? |
|
Unfortunately, no meaningful update yet. I've been busy with other things and haven't had time to dedicate to the open PR recently. The intention is to bring vulnerability alerts to GitLab, similar to GitHub though. |
|
Could you consider adding SecurityVulnerabilities alerts for Azure DevOps GIT repositories please ? |
|
Hi @JamieMagee I don't know if it could be used inside Renovate, but Google released a tool called osv-scanner that basically do most of the parts of this feature, by taking a package file and scanning it based on https://osv.dev And, by the way, as me and my company are interested in this feature, if you need help, I can take a look and try to help :D |
|
@Lowaiz Jamie have implement use of OSV in this PR: #15159 |
|
Resolved in #20226 |
What would you like Renovate to be able to do?
Currently Renovate uses the RepositoryVulnerabilityAlert API to retrieve vulnerability alerts. However, this requires a repository to be hosted on GitHub. Instead, we could use the SecurityAdvisory API to retrieve vulnerability alerts. This would be portable to other platforms (GitLab, Azure DevOps, Gitea, etc.) as long as a GitHub token is available. Similar to how changelog retrieval works today.
Describe the solution you'd like
Regardless of which platform I'm using, I would like to be able to consume GitHub security vulnerability alerts.
Here's a sample request and response.
Example GraphQL request
{ securityVulnerabilities(first: 10, package: "axios", ecosystem: NPM, orderBy: {field: UPDATED_AT, direction: DESC}) { totalCount edges { node { advisory { ghsaId publishedAt summary references { url } } firstPatchedVersion { identifier } package { ecosystem name } severity updatedAt vulnerableVersionRange } } } }Example GraphQL response
{ "data": { "securityVulnerabilities": { "totalCount": 1, "edges": [ { "node": { "advisory": { "ghsaId": "GHSA-42xw-2xvc-qx8m", "publishedAt": "2019-05-29T18:04:45Z", "summary": "High severity vulnerability that affects axios", "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10742" }, { "url": "https://github.com/advisories/GHSA-42xw-2xvc-qx8m" } ] }, "firstPatchedVersion": { "identifier": "0.18.1" }, "package": { "ecosystem": "NPM", "name": "axios" }, "severity": "HIGH", "updatedAt": "2019-06-05T16:22:11Z", "vulnerableVersionRange": "<= 0.18.0" } } ] } } }Describe alternatives you've considered
Use each platform's specific API for being notified of security vulnerabilities in dependencies. For example, GitLab has the Security Findings API. However, this is an alpha API, and only available in GitLab Ultimate. Also, other platforms (Azure DevOps, Gitea, BitBucket) don't provide a similar API.
Additional context
The text was updated successfully, but these errors were encountered: