-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEAT]: Allow analysis of all branches #305
Comments
Hi @emil-wire, great to hear from you. Would you require any base branch, or prefer a pattern to configure base branches of PRs that should be analyzed? We could even get more open and make the branches to be analyzed configurable - what would result in one project per branch imported in dependency-track. WDYT? |
First: thanks for being open to this! |
always. to everything ;)
interesting idea, need to test around a bit, but that's definite valuable. Since I haven't been able to run technolinator successfully yet, could you tell me if you transmit additional metadata to dependency-track? Like versions, tags, etc.? atm, the (default) branch name is used as version in dtrack, what makes it easy to have any branch as separate entry in dtrack - but that's because of the leak of a good idea, how to version properly. maybe we can stay with this, or use also labels for detected latest versions... |
Note: There should be a cleanup of dependency-track projects from branches that got deleted. We've a similar issue open for deleted or archived repos, guess we can implement it in a way that fits both use-cases: #96
|
awesome :) Maybe one could use the commit hash as versioning information? Within our org, that would be the lowest common denominator.
|
ok, so always put a new version to dtrack with every commit? would you disable all previous version in dtrack with a new one? I'm always thinking about something like: listening on new GH releases and update the according dtrack project with that version - not sure how practical that would be... |
I don't think I would tbh. But I'm also not 100% sure how to integrate that into our workflow... Do you have an idea? |
Can you briefly describe your workflow, @emil-wire ? Is there a verification about the dependency-track scan results included somewhere (and if: how)? I'm not quite confident, that dependency-track will be able to deal with that high amount of projects, if a new one is created for each commit (even if only on default branch), but we need to test out. Just to sort it out, what are your most important demands for now, @emil-wire, did I recap it correct?:
That's also from easy to harder, and maybe we get some nice idea about the versioning, when we realized 1-3 ;) |
I don't have demands, only wishes :) Not my place to demand stuff from people who have made my life already much easier (again, can't thank you enough!). But 1. and 2. on the list are spot on. Hyades sounds amazing, and very sensible. Can't wait for it to be released
Verification: currently manual. I triage the boms and am looking for critical and highs only and after validation, create tickets. we have the usual gitflow at Wire (see https://github.com/wireapp/wire-webapp as an example). I don't think, that we need to store the sbom for each and every branch in the long term and ideally (once we operationalize this stack across all of our repos and techstack) a simple PR decoration giving the devs feedback would be enough. But we're not there yet, because there is a LOT of heterogeneity in our dev process (I'm tackling this, but it takes time...) - there isn't a one size fits all solution currently. But, because some of our institutional customers lag a couple of versions behind our main branches, there's a need to have a historic record of some kind somewhere and provide a fix on a path of least resistance. Since github is pretty public, I can't go into more details here, but we can setup a call if you'd like and get to know each other :)
deletion/inactivation could be handled by me building some kind of script that runs once every week or so. no need for you to worry about that, I think the complexity of technolinator would explode and I'm sure most orgs who'd adopt this feature would have some very specific requirements that would be better served by building their own automation around dependency track.
After thinking about this some more, I can see a good way to solve this for us. Each time we cut a release on github, run an action that looks at the PRs that made it into the release, get the bom for that release, attach it to the release artifacts and remove all versions from dtrack that are tied to non release PRs. Sounds simple enough to automate and again highly specific to each org, where I wouldn't want to burden technolinator with that task. What do you think? |
Thx for your thoughts and insights, @emil-wire
That's an idea we also discussed for version handling using technolinator. react on "onRelease" event in the GH app, and either create/upload a new bom of that commit, versioned with the git tag name, or label or re-version (if that's) possible the according dtrack project. Will realize something when hitting topic 4 of that list, wanting this feature myself for quite some time ;) are you located in Switzerland, @emil-wire? |
Wires development company is located in Berlin, as am I. Regarding the conference: I'm a security engineer and am on a spree to shift security left at Wire. Generally building out a somewhat automated security program here of which dependency tracking is a priority. Not sure if I have something to contribute to such a conference as currently, we're implementing the basics here... |
ok.
sounds already like a great abstract. just think about, we're looking for "user stories" of any kind, so how to shift security left from someone actually doing it is much more desired than from some consultant who just always talks about ;) |
🤣 that's already working, there's no check on the base branch of a PR, @emil-wire - would have bet my ass that's different. |
atm, this would trigger a parallel bom creation, if there are PRs with the branch to be analyzed as head. Edit: ok. will refactor technolinator to only react on Edit2: onPR is still needed, but need to check, whether there's a analysis of it's head commit already running from a onPush. |
I'll look into it :)
you sure? I have a bunch of these in my logs: |
yes, push to non-default branches are ignored. |
this issue is not forgotten, but need some time to test a proper setup with dtrack and the archiving/cleanup function in place upfront. |
Request Description
Hi guys,
thanks for your project! I'm currently testing it out and was wondering if you would consider adding a feature that allows for analysis of PRs for all branches and not just on merge for the default branch?
Catching vulnerable dependencies early on would be a very valuable feature. Of course resource consumption is something to keep in mind.
Additional Information
No response
The text was updated successfully, but these errors were encountered: