Comments (8)
There might be a misunderstanding here. Point by point:
The WhiteSource integration for GitHub.com currently runs only when dependency definitions are added, removed or updated.
Slight nuance: the WhiteSource integration scans dependencies whenever the relevant dependency files are changed.
If there is a security vulnerability that is spotted on a project dependency, WhiteSource won't spot it until the list of project dependencies gets updated.
Not correct, assuming you mean something like "A new CVE is found that affects dependencies in a FINOS project". Scanning of dependencies is done on commits, but cross-referencing that against the WhiteSource vulnerability database is done in near real-time. In other words, if there's a new CVE found, a match will be made immediately against FINOS's dependencies, and then issues/PRs raised if applicable.
In other words, "scanning for dependencies" and "checking dependencies for vulnerabilities" are independent actions. The former is done on relevant commits while the latter is done whenever necessary.
from open-developer-platform.
Done, please see https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/WhiteSource+for+GitHub.com and https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/75530440/WhiteSource : at the top I've added a note stating:
Near Real Time scanning
WhiteSource runs project scanning in near-real-time: every time a new CVE gets spotted on a library that is used by the project, the vulnerability is notified. Scanning can also happen:
- At build time, using the WhiteSource unified agent
- On code change, using the WhiteSource integration for GitHub.com
Closing issue, please reopen if needed. TY!
from open-developer-platform.
Hi @maoo,
If I understand correctly, the WhiteSource integration for GitHub.com will create an issue/PR today (February 25 2020) with the relevant CVE info?
Yes, you understand correctly. Lack of recent commits is no barrier to getting timely vulnerability alerts.
I discussed this internally and we will clarify this in our own documentation too.
from open-developer-platform.
Hi @mcleo-d , thanks for the feedback! I'd prefer to stick to the Direct Path; that said, if the Docusaurus bit takes less than 1 hour, I'm in favour of considering part of this story.
My 0.02€ cents of course, happy to follow @rarkins preference!
from open-developer-platform.
Thanks for your feedback @maoo 👍
I'm happy with a very basic MVP just to prove @rarkins can add content into the wiki. I'm happy to take the weight of the page formatting even if the content @rarkins adds is a link to an external page.
I'm not expecting migration of page content from the current FINOS wiki into Docusaurus as part of this story.
I hope that helps narrows the scope?
James.
from open-developer-platform.
@rarkins - @maoo and I agreed on a call today that @maoo will complete this item by adding the doc update directly to the FINOS wiki below. Please disregard the request in the comments above.
@maoo - The item to complete this task is the following 👍
Direct Path to Close
- Add WhiteSource references straight into WhiteSource for GitHub.com on the FINOS Wiki
Thanks both! 😸
from open-developer-platform.
@rarkins - TY for your answer, I'll respond inline....
Not correct, assuming you mean something like "A new CVE is found that affects dependencies in a FINOS project". Scanning of dependencies is done on commits, but cross-referencing that against the WhiteSource vulnerability database is done in near real-time. In other words, if there's a new CVE found, a match will be made immediately against FINOS's dependencies, and then issues/PRs raised if applicable.
Oh, great! To make sure we're on the same page, let's take a simple example:
- we have project A, with a
package.json
(lockfile) that points to library X, version 1.0 - last commit on
package.json
(and lockfile) was on January 1 2020 - A new CVE is spotted today (February 25 2020) on library X, version 1.0 and made public on nvd.nist.gov
If I understand correctly, the WhiteSource integration for GitHub.com will create an issue/PR today (February 25 2020) with the relevant CVE info?
If that's the case, the only thing left on this issue is to document this behaviour on https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/DRAFT+WhiteSource+for+GitHub.com . @rarkins , I couldn't find a place in https://whitesource.atlassian.net/wiki/spaces/WD/pages/697696422/WhiteSource+for+GitHub.com where this behaviour is clearly described, maybe I missed it? Or maybe we could propose an update to WS docs page too?
Thanks!
from open-developer-platform.
Thanks for all the work you're putting into closing this story @rarkins. I'm more than happy for you to help complete this item by taking either of the following paths.
Direct Path to Close
- Add WhiteSource references straight into WhiteSource for GitHub.com on the FINOS Wiki
Alternative Path to Close : Future ODP Collaboration Path
- Raise a PR to ...
- Create the new folder structure
Development Infrastructure/Code Validation/White Source/
in the docs folder of the ODP microsite (work in progress). - Add a new markdown file with the relevant WhiteSource content.
- whether new content or a reference to existing content
- Work with @mcleo-d and/or @maoo to prove this method of collaborating using Docusaurus and pull requests is constructive for scaling ODP knowledge and documentation.
- Create the new folder structure
I'm more than happy for you to choose depending on the amount of time you have to hand 😺
Speak soon,
James.
from open-developer-platform.
Related Issues (20)
- Rename [email protected] to [email protected]
- Provide update on improved WhiteSource features HOT 4
- 7 Oct 2020 - ODP Meeting Minutes HOT 13
- Contributor (Developer) Profile HOT 2
- Push/Pull Targeted Help Wanteds based on Contributor interests/competencies HOT 1
- Add attendee organizations/affiliations to GitHub hosted FINOS project agendas and minutes HOT 5
- Make it possible to run forked version of a docs site w/o having to edit siteConfig.js HOT 7
- Add documentation to odp.finos.org on how to run a forked version of a docs site HOT 3
- More docs on project collaboration HOT 1
- 21 October 2020 - ODP Meeting Minutes HOT 7
- 4 November 2020 - ODP Meeting Minutes HOT 4
- 18 November 2020 - ODP Meeting Minutes HOT 1
- ODP Meeting minutes action fails (when unknown attendees are found) HOT 1
- Build website for the Open Source Readiness project HOT 1
- 16 december 2020 - ODP Meeting Minutes HOT 3
- Enable GitHub meeting attendance tracking for DevOps Mutualization HOT 3
- 28 Jan 2021 - Git Proxy Meeting Minutes HOT 12
- Use main branch in project blueprint HOT 1
- Help developing a new metric HOT 2
- Cannot install WhiteSource for GitHub.com integration HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from open-developer-platform.