Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can this be integrated into Github's Dependabot? #3

Open
simbabque opened this issue Apr 30, 2023 · 2 comments
Open

Can this be integrated into Github's Dependabot? #3

simbabque opened this issue Apr 30, 2023 · 2 comments

Comments

@simbabque
Copy link

https://github.com/dependabot sends PRs to repos to bump dependencies. I have no idea how it works though.
@garu
Copy link
Collaborator

garu commented May 4, 2023

This is a great idea and should definitely be one of our milestones. Here's how it works:

Dependabot is a part of the Github Advisory Database. Github pulls data from the security database of several open source languages like Python, Ruby, Rust and JavaScript and issue their own "GHSA-id" to each of them.

Then Dependabot reads that data and searches through Github for projects relying on a vulnerable version, making an auto PR that bumps them up.

Perl, unsurprisingly, is not supported. YET! 😈

While it is tempting to simply open an issue on their repo asking them to support CPAN, I rather we set things up properly on our end so adding CPAN is so easy they see no point in not doing so.

So here's my proposed steps to reach that milestone and get into Github's advisory database and Dependabot (and increasing the overall security and awareness of Perl/CPAN's ecosystem):

  1. We upgrade our security advisory schema to the Open Source Vulnerability Database;
  2. Set up a formal cpan-advisory-database repository, preferably under the MetaCPAN group, storing all advisories in that format. We can prepopulate or integrate with brian's cpan-security-advisory repository, and inviting him to comaint it if this is a direction he feels like going (he did mention that he felt metacpan should do its own thing iirc, but we should check nonetheless and combine efforts if we can);
  3. Provide an automated way people can submit new entries. I think a PR to the cpan-advisory-database repository could be very straightforward, automatically checking for schema validity, deduplication and making our own validation pipelines much easier. Go does it like that. We can then work on a CLI tool and a web form that will make the PR automatically for the user;
  4. Provide a feed of the latest vulnerabilities, and a search, similar to https://pkg.go.dev/vuln/
  5. Create a project page for the CPAN Security Working Group stating mission, format, pipelines, etc. Similar to https://go.dev/security/vuln/
  6. Update the program Tux made at PTS23, so that it scans Makefile.PL, dist.ini and cpanfiles alike, maybe even regular "use" statements, explaining the issues and suggesting version bumps;
  7. See if we can get listed on OSV as compliant with their format (see step 1 here);
  8. Open an issue to Github's Advisory Database so it accepts CPAN distributions, maybe even already bundling a PR to Dependabot that does it already so all they have to do is click "merge".

What do you all think? Looks like we have a lot of work ahead of us!

@stigtsp
Copy link
Member

stigtsp commented May 5, 2023

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@garu @stigtsp @simbabque