From 40cd9f0ec2a285e5c5cf32ef3b7cae51ef212f71 Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Wed, 10 Jul 2024 16:13:42 +0200 Subject: [PATCH] chore: dependency-submission: skip test scope Currently, dependency-submission would submit all dependencies to https://github.com/apache/pekko/security/dependabot , including test dependencies. We then added explicit dependencies to the build to squash warnings about outdated test dependencies (#1181, #1313 and #1344). With version 3, sbt-dependency-submission now supports ignoring scopes. This PR proposes to ignore the test scope, and remove the explicit dependencies from the build. Of course, we want our developers to be secure as much as our users. From that perspective you could say we'd want to remove 'insecure' dependencies even from the test scope. In practice, however, I think it's really unlikely that a vulnerability in a test scope dependency would lead to a realistic attack on a developer. For that reason, I think ignoring this scope for dependency-submission and keeping the old dependencies in the build removes some development friction, which balances out the risk of testing with outdated dependencies. If there'd be a 'malicious' dependency out there, I expect we'd learn about it through other channels. (do we need to request sbt-dependency-submission@v3 to be whitelisted at Infra?) --- .github/workflows/dependency-graph.yml | 4 +++- project/Dependencies.scala | 14 +------------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml index b1b393267da..8277e92fda4 100644 --- a/.github/workflows/dependency-graph.yml +++ b/.github/workflows/dependency-graph.yml @@ -16,4 +16,6 @@ jobs: contents: write steps: - uses: actions/checkout@v4 - - uses: scalacenter/sbt-dependency-submission@v2 + - uses: scalacenter/sbt-dependency-submission@v3 + with: + configs-ignore: test diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 1520220f1f1..d5f788459d3 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -34,7 +34,6 @@ object Dependencies { // needs to be inline with the aeron version, check // https://github.com/real-logic/aeron/blob/1.x.y/build.gradle val agronaVersion = "1.21.1" - val bouncyCastleVersion = "1.78.1" val nettyVersion = "4.1.112.Final" val logbackVersion = "1.3.14" @@ -119,13 +118,8 @@ object Dependencies { } object TestDependencies { - val bcprov = "org.bouncycastle" % "bcprov-jdk18on" % bouncyCastleVersion % Test - val bcpkix = "org.bouncycastle" % "bcpkix-jdk18on" % bouncyCastleVersion % Test - val bcutil = "org.bouncycastle" % "bcutil-jdk18on" % bouncyCastleVersion % Test val commonsIo = "commons-io" % "commons-io" % "2.16.1" % Test val commonsCodec = "commons-codec" % "commons-codec" % "1.17.1" % Test - val commonsCompress = "org.apache.commons" % "commons-compress" % "1.26.2" % Test - val guava = "com.google.guava" % "guava" % "33.2.1-jre" % Test val junit = "junit" % "junit" % junitVersion % Test val junit5 = "org.junit.jupiter" % "junit-jupiter-engine" % junit5Version % Test val httpClient = "org.apache.httpcomponents" % "httpclient" % "4.5.14" % Test @@ -150,16 +144,10 @@ object Dependencies { // in-memory filesystem for file related tests val jimfs = "com.google.jimfs" % "jimfs" % "1.3.0" % Test - // the extra dependency overrides for bcprov, commonsCompress and guava should be reviewed - https://github.com/apache/pekko/issues/1317 val dockerClientVersion = "3.4.0" val dockerClient = Seq( "com.github.docker-java" % "docker-java-core" % dockerClientVersion % Test, - "com.github.docker-java" % "docker-java-transport-httpclient5" % dockerClientVersion % Test, - TestDependencies.bcprov, - TestDependencies.bcpkix, - TestDependencies.bcutil, - TestDependencies.commonsCompress, - TestDependencies.guava) + "com.github.docker-java" % "docker-java-transport-httpclient5" % dockerClientVersion % Test) val jackson = Seq( jacksonCore % Test,