WhiteSource only runs when dependency definitions are added, removed or updated about open-developer-platform HOT 8 CLOSED

There might be a misunderstanding here. Point by point:

The WhiteSource integration for GitHub.com currently runs only when dependency definitions are added, removed or updated.

Slight nuance: the WhiteSource integration scans dependencies whenever the relevant dependency files are changed.

If there is a security vulnerability that is spotted on a project dependency, WhiteSource won't spot it until the list of project dependencies gets updated.

Not correct, assuming you mean something like "A new CVE is found that affects dependencies in a FINOS project". Scanning of dependencies is done on commits, but cross-referencing that against the WhiteSource vulnerability database is done in near real-time. In other words, if there's a new CVE found, a match will be made immediately against FINOS's dependencies, and then issues/PRs raised if applicable.

In other words, "scanning for dependencies" and "checking dependencies for vulnerabilities" are independent actions. The former is done on relevant commits while the latter is done whenever necessary.

from open-developer-platform.

Done, please see https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/WhiteSource+for+GitHub.com and https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/75530440/WhiteSource : at the top I've added a note stating:

Near Real Time scanning
WhiteSource runs project scanning in near-real-time: every time a new CVE gets spotted on a library that is used by the project, the vulnerability is notified. Scanning can also happen:

• At build time, using the WhiteSource unified agent
• On code change, using the WhiteSource integration for GitHub.com

Closing issue, please reopen if needed. TY!

from open-developer-platform.

Hi @maoo,

If I understand correctly, the WhiteSource integration for GitHub.com will create an issue/PR today (February 25 2020) with the relevant CVE info?

Yes, you understand correctly. Lack of recent commits is no barrier to getting timely vulnerability alerts.

I discussed this internally and we will clarify this in our own documentation too.

from open-developer-platform.

Hi @mcleo-d , thanks for the feedback! I'd prefer to stick to the Direct Path; that said, if the Docusaurus bit takes less than 1 hour, I'm in favour of considering part of this story.

My 0.02€ cents of course, happy to follow @rarkins preference!

from open-developer-platform.

Thanks for your feedback @maoo 👍

I'm happy with a very basic MVP just to prove @rarkins can add content into the wiki. I'm happy to take the weight of the page formatting even if the content @rarkins adds is a link to an external page.

I'm not expecting migration of page content from the current FINOS wiki into Docusaurus as part of this story.

I hope that helps narrows the scope?

James.

from open-developer-platform.

@rarkins - @maoo and I agreed on a call today that @maoo will complete this item by adding the doc update directly to the FINOS wiki below. Please disregard the request in the comments above.

@maoo - The item to complete this task is the following 👍

Direct Path to Close

• Add WhiteSource references straight into WhiteSource for GitHub.com on the FINOS Wiki

Thanks both! 😸

from open-developer-platform.

@rarkins - TY for your answer, I'll respond inline....

Not correct, assuming you mean something like "A new CVE is found that affects dependencies in a FINOS project". Scanning of dependencies is done on commits, but cross-referencing that against the WhiteSource vulnerability database is done in near real-time. In other words, if there's a new CVE found, a match will be made immediately against FINOS's dependencies, and then issues/PRs raised if applicable.

Oh, great! To make sure we're on the same page, let's take a simple example:

• we have project A, with a package.json (lockfile) that points to library X, version 1.0
• last commit on package.json (and lockfile) was on January 1 2020
• A new CVE is spotted today (February 25 2020) on library X, version 1.0 and made public on nvd.nist.gov

If I understand correctly, the WhiteSource integration for GitHub.com will create an issue/PR today (February 25 2020) with the relevant CVE info?

If that's the case, the only thing left on this issue is to document this behaviour on https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/DRAFT+WhiteSource+for+GitHub.com . @rarkins , I couldn't find a place in https://whitesource.atlassian.net/wiki/spaces/WD/pages/697696422/WhiteSource+for+GitHub.com where this behaviour is clearly described, maybe I missed it? Or maybe we could propose an update to WS docs page too?

Thanks!

from open-developer-platform.

Thanks for all the work you're putting into closing this story @rarkins. I'm more than happy for you to help complete this item by taking either of the following paths.

Direct Path to Close

• Add WhiteSource references straight into WhiteSource for GitHub.com on the FINOS Wiki

Alternative Path to Close : Future ODP Collaboration Path

• Raise a PR to ...
  • Create the new folder structure Development Infrastructure/Code Validation/White Source/ in the docs folder of the ODP microsite (work in progress).
  • Add a new markdown file with the relevant WhiteSource content.
    • whether new content or a reference to existing content
  • Work with @mcleo-d and/or @maoo to prove this method of collaborating using Docusaurus and pull requests is constructive for scaling ODP knowledge and documentation.

I'm more than happy for you to choose depending on the amount of time you have to hand 😺

Speak soon,

James.

from open-developer-platform.