Use vet to Implement Safe Consumption of OSS Components for vet

[abhisek]

Dogfood vet :)

Setup a vetting working for this repository using vet. This should include creating an appropriate policy, exceptions configuration and a Github action that runs on PR to identify issues

[ibilalkayy]

Can you guide me further about this? I didn't get what do you mean

[abhisek]

@ibilalkayy Thanks for looking at this issue.

From docs.safedep.io

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

The purpose of this issue is to use vet to safe guard against risky dependencies being used in vet. For this, I would consider:

1. Scan vet source code (this repository) with vet (You can ignore docs/)
2. Create an appropriate filter suite or just re-use one from ./samples
3. Verify if there are policy failures (--filter-fail while scanning)
4. Create an exceptions file to backlog the issues for a time window (refer: https://docs.safedep.io/advanced/exceptions)
5. Create a Github action to invoke vet to scan on PR with filter suite and exception configuration

Have a look at example here:

safedep/demo-client-java#2
https://github.com/safedep/demo-client-java/blob/main/.github/workflows/vet.yml

p.s: We have a Discord where you can hangout with the devs: https://rebrand.ly/safedep-community