Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency Licensing and Vulnerability Tracking #103

Closed
adamkrellenstein opened this issue Oct 31, 2023 · 9 comments
Closed

Dependency Licensing and Vulnerability Tracking #103

adamkrellenstein opened this issue Oct 31, 2023 · 9 comments
Assignees
@ouziel-slama
Milestone
v0.3.0

Comments

@adamkrellenstein
Copy link
Collaborator

adamkrellenstein commented Oct 31, 2023
edited
Loading

  • DependaBot
  • CodeQL analysis (complete? python only?)
  • Other code scanning?
@adamkrellenstein adamkrellenstein added this to the v1.0.0 milestone Oct 31, 2023
@adamkrellenstein adamkrellenstein changed the title Dependency Vulnerability Tracking Dependency Licensing and Vulnerability Tracking Oct 31, 2023
@adamkrellenstein adamkrellenstein modified the milestones: v1.0.0, v0.1.8 Nov 16, 2023
@ouziel-slama
Copy link
Collaborator

for the record: https://geekflare.com/find-python-security-vulnerabilities/
bandit looks good!

@ouziel-slama
Copy link
Collaborator

tested https://pypi.org/project/license-scanner/
works well like Bandit.

@adamkrellenstein adamkrellenstein mentioned this issue Nov 25, 2023
Closed
@adamkrellenstein adamkrellenstein modified the milestones: v0.2.0, v0.3.0 Nov 26, 2023
@adamkrellenstein
Copy link
Collaborator Author

Screenshot 2023-11-30 at 4 05 41 PM

@ouziel-slama
Copy link
Collaborator

see https://github.com/towercomputers/toweros/security/code-scanning?query=is%3Aopen+branch%3Adev

CodeQL, Bandit and Pylint are executed for the dev branch. All that is missing is the scanning of the licenses. @adamkrellenstein do we want a whitelist or a blacklist system for licenses ?

@adamkrellenstein
Copy link
Collaborator Author

Great! I think it should be a whitelist—we have relatively few dependencies.

@ouziel-slama
Copy link
Collaborator

done!
here the whitelists: https://github.com/towercomputers/toweros/blob/dev/tower-lib/pyproject.toml#L40-L58

and here is an example when neither the package nor its license are in one of the two whitelists.
https://github.com/towercomputers/toweros/security/code-scanning?query=is%3Aclosed+branch%3Adev

@adamkrellenstein
Copy link
Collaborator Author

Great!!!

@ouziel-slama
Copy link
Collaborator

There is just a small problem with CodeQL which does not take into account this line: https://github.com/towercomputers/toweros/blob/dev/tower-lib/towerlib/provision.py#L153

See github/codeql#11427

That's mean we need to close manually, in the Github UI, this one https://github.com/towercomputers/toweros/security/code-scanning?query=is%3Aopen+branch%3Adev

This should happen very rarely.. no point I think to use a hack to solve the problem.. @adamkrellenstein if ok for you I close this issue.

@adamkrellenstein
Copy link
Collaborator Author

yep!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ouziel-slama ouziel-slama

Labels
None yet
Projects
None yet
Milestone
v0.3.0
Development

No branches or pull requests
2 participants
@ouziel-slama @adamkrellenstein