This contribution introduces a new Jenkins pipeline that will executed once a day. Developers can execute the same thing locally with `make scan-vuln-deps`. It uses the recently introduced OSV-Scanner [0][1]. The PHP, JS, Go and Rust dependencies are covered. Nix derivations could be covered in the future by creating SBOM for them (but note that for "new" tools/services we are using the package manager associated with the language anyway). The goals are to: * gives the whole dev team the possibility to participate to the triage or at least be aware of it * have a better view of the state of our dependency tree * force a response when a vulnerability is discovered in our dependency tree even if it is "ignore it for now" * see how noisy it is day-to-day This approach has shortcomings (ignore vulns is not scoped by sub-packages, does not give a centralized view across the supported Tuleap versions...) but it requires little to no additional infrastructure and it is still better than what we currently have. Deploying tools like Dependency-Track [2] could be considered later on but the work done here will not be wasted anyway (even more since they started using the OSV.dev database). [0] https://security.googleblog.com/2022/12/announcing-osv-scanner-vulnerability.html [1] https://github.com/google/osv-scanner [2] https://dependencytrack.org/ Change-Id: I4fee861bbd591e385cfe3f9dfe7006c4adeff7da

+431 −128

Author

Thomas Gerbet (tgerbet) 2023-03-08 12:54

Committer

Thomas Gerbet (tgerbet) 2023-03-08 14:00

Hash 55d3fa32d948139840a93656a5ce459256f1f737

Parent cd8235207fed3b72971e74c801ed9b0476c891cf

Reference git #tuleap/stable/55d3fa32d948139840a93656a5ce459256f1f737