Replies: 28 comments
-
here you can find a blog post with the anoucement of the availability of automatic code scanning for security |
Beta Was this translation helpful? Give feedback.
-
@hpvd thank you for reporting this. We will consider it in our future releases. |
Beta Was this translation helpful? Give feedback.
-
A new GitHub feature which may also lead to some kind of "security routine" when merging pull requests, was presented at GitHub Universe 2020: "Dependency Review" :
https://github.blog/2020-12-08-new-from-universe-2020-dark-mode-github-sponsors-for-companies-and-more/ |
Beta Was this translation helpful? Give feedback.
-
These points could possibly be classified as "low-hanging fruits" in the field of security (at least if they work as expected and there are not to many false positive findings introduced...) |
Beta Was this translation helpful? Give feedback.
-
as a last point to this topic: it may be also interesting to give GitHub's "super linter" a try and let it check the hole project on every release or on every pull via GitHub action... |
Beta Was this translation helpful? Give feedback.
-
We use dependency-check-maven Maven Plugin to automate CVE checks against updated DB on used dependencies within build process. It is pretty straightforward. |
Beta Was this translation helpful? Give feedback.
-
Cool @fmiguelez Would you please push a PR to enable this great plugin? Also, this should be check in the CI to avoid introduce some known CVE issues. |
Beta Was this translation helpful? Give feedback.
-
Hello guys We try to certify the pulsar according the few security standards . It's "bit" makes our effort to certify the pulsar for the highly secured production environment to be complicated 😞 On the other hand , there is the opened issue about automated security scanning. Any change to move this issue forward or at least t upgrade the outdated libraries with high risk? |
Beta Was this translation helpful? Give feedback.
-
many thanks @alexku7 for describing your findings and view in details including the concrete consequence. |
Beta Was this translation helpful? Give feedback.
-
-> Could there be a better advertising for pulsars' awesome quality, than being used directly by people and companies working in highly secured fields ?? :-) |
Beta Was this translation helpful? Give feedback.
-
Yeah these code / dependency / image scanners are pretty harsh but several of our own customers want security reports of all dependent software so any effort to minimize these issues in Pulsar - especially if it's in a maintenance release e.g. |
Beta Was this translation helpful? Give feedback.
-
Of course we have also seen, the major work in fields of security and code quality in the past months
-> this is pretty awesome, and important. |
Beta Was this translation helpful? Give feedback.
-
@alexku7 would be happy to see the statistics when scanning upcoming v2.8 with same tool (white source)! |
Beta Was this translation helpful? Give feedback.
-
Sure :) no problem |
Beta Was this translation helpful? Give feedback.
-
There's now #10855 to add a scheduled OWASP Dependency Check to scan library vulnerabilities once per day. |
Beta Was this translation helpful? Give feedback.
-
@lhotari this is great news! Thanks so much! |
Beta Was this translation helpful? Give feedback.
-
awesome ;-) |
Beta Was this translation helpful? Give feedback.
-
The results of the scheduled OWASP Dependency Check scans can be found here: |
Beta Was this translation helpful? Give feedback.
-
just another topic for optimizing code quality and security further: -> with the latest possibilities of integration CI process, this is now relatively easy to use but powerful |
Beta Was this translation helpful? Give feedback.
-
just learned about the github's dependency graph.
dependency graph for pulsar: https://github.com/apache/pulsar/network/dependencies |
Beta Was this translation helpful? Give feedback.
-
just to have a first impression without having to leave this issue:
|
Beta Was this translation helpful? Give feedback.
-
With this high number of dependencies of all kinds and different ages => Is it enough (or a least the best thing we could do at this time) -> a) Or is there a big risk of sacrificing security, performance and bug-freeness we didn't see yet -> b) How can we be sure that every dependency, introduced several years ago, is still in use / really needed in todays pulsar? |
Beta Was this translation helpful? Give feedback.
-
just to show numbers are constantly growing (yes this is no statistic ;-) only good to transport the feeling...)
|
Beta Was this translation helpful? Give feedback.
-
Very good questions. @nicoloboschi and @dlg99 from DataStax have been contributing many changes to address vulnerable library versions. DataStax has bought a license for Sonatype IQ Server and scans also Apache Pulsar frequently. Another aspect in the Software Supply Chain security is the build reproducibility: are the built artifacts built from the source code that it claims to be built from. For Java projects, there's more information in https://reproducible-builds.org/docs/jvm/ and https://github.com/jvm-repo-rebuild/reproducible-central . It would be good to get Apache Pulsar as part of the Reproducible Builds program. Reproducible Builds have been discussed a few times. @hpvd Since the mailing list is the main channel for making major decisions in Apache projects, it would be useful to bring up your improvement suggestions to the Apache Pulsar community. dev@pulsar.apache.org would be a good list to have this discussion. Mailing list details are at https://pulsar.apache.org/en/contact/ . |
Beta Was this translation helpful? Give feedback.
-
many thanks for your answer, additional details and advice! Will bring some points to the list within the next weeks... btw: does anybody look on pulsar with a tool like jarchitect to keep a good overview over dependencies? dependency graphs etc
edit: deactivated active link |
Beta Was this translation helpful? Give feedback.
-
another interesting topic in this field of automatic security scanning: |
Beta Was this translation helpful? Give feedback.
-
just to visualize/summarize the current state: okay, a (very) few less if
for details see #18348 |
Beta Was this translation helpful? Give feedback.
-
Moved to the open-ended discussion forum. I suggest you directly send patches and the maintainers will be glad to review them. Keep requesting helps little: Open-source software grows with contributions. |
Beta Was this translation helpful? Give feedback.
-
Is your enhancement request related to a problem? Please describe.
To get the most out of every release regarding security, performance and "bug-freeness" it may be a good idea to make reasonable updating of dependencies a good routine before every release.
Describe the solution you'd like
what would help (if not already used):
-> if possible a bot automatically should open an issue to fix these findings / update the dependencies as soon as fixes are available
-> before every release one should look at this table and update all (most) dependencies to their latest version (or note a hint why this is not possible at this time (e.g. incompatible changes)
-> of course one could automate open update issues as well, but these may result for too many intermediate steps between releases
Beta Was this translation helpful? Give feedback.
All reactions