Override the ref, sha and the manifests' source_location attributes in the JSON that will be submitted
#249
Conversation
mkurz
force-pushed
the
overrides-ref-sha-manifest
branch
2 times, most recently
from
b6c1eca to
2e4a636
Compare
Could you give an example of what input you would use to have Github process the snapshot? |
Here is the thing: So what I do is I just hardcode the same sha (one that is on the default branch) for all workflows in all branches in a repo. This way GitHub thinks all json that it receives are from the default branch, which, in reality is not true. So you can see, I changed the file name of the manifest: I added the timestamp when the workflow ran, the branch name and, like before the file name itself. This allows me to distinguish from which branch an alert comes from. (In theory we would not need the correlator anymore, because the file names do not override each other anymore). If I run the referenced workflow scheduled, each night, now, we would be able to check not just the main branch, but also our stable branches for security vulnerabilities. I have done lots of testing to understand how GitHub process the submitted dependency snapshots, when and how it opens new alerts, and when it closes them automatically:
I was also testing this PR thoroughly, hosting the artifacts on my github pages:
If something is unclear, let me know. I might have some more links that explain things a bit more, but I have to run now, will be back later. Thanks! |
|
(in case you merge this PR, it would be nice if yould push a new tag so I can make us if it, thanks!) |
|
Here are draft PRs for Play with what the result would look like:
That PRs would result into what you see in the screenshot. |
mkurz
force-pushed
the
overrides-ref-sha-manifest
branch
from
2e4a636 to
dccb52a
Compare
|
Hi @mkurz and thanks for opening this pull request. After internal discussions at the Scala Center, we concluded not to merge it. The proposed changes are designed to bypass Github's built-in restrictions, which are part of their Advanced Security package:
As maintainers of this repository, we don't want to open this door to other users. |
|
Hmm.. OK. However, I do not understand why you refer to the "Dependency review" feature - what does that have to do with bypassing Github's built-in restrictions? Actually... (please don't get me wrong) - which restrictions? I accept that you will not merge this PR. However, I do not see it as strict as saying "bypass ... Github's built-in restrictions" - The dependency submission API is just a public REST api you can post to any dependencies you like. It's more or less independent of which dependency are actually contained in a repo's manifest file(s). I can right now start The way I see it: I just know how the API works and make use of its features. Side note: GitHub also just uses the same api via https://github.com/advanced-security/maven-dependency-submission-action to submit dependencies of maven projects - the only difference people don't have to set up their own workflows to run it, but just click a button in the settings. The reason why I came up with this pull request is because I can just not see how it is possible to monitor the dependencies of non-default branches. I know my PR is a workaround, but for me personally, the benefit of having easy insight and getting notified about potential vulnerabilities in our stable branches outweighs that. |
|
Actually I was reading too fast, and it is true that Dependeny Review is fully available on public repositories. So I am not sure why Github is limiting dependency scans to the default branch only.
As an alternative, have you considered using actions/dependency-review-action? You could have a long-living PR to get a dependency review comment each time you push to your branch. |
|
Catching up here again...
Because it's a limitation in GitHub. GitHub just way too much focuses on the default branch. For example, it's impossible to set up scheduled workflows for non-default branches in GitHub. I opened a ticket long time ago for that: https://github.com/orgs/community/discussions/16107 - I even talked with someone from GitHub engineering at a conference and they are aware of that limitation. I did not use Gitlab for a quite a while (except commenting on some random projects every now and then) but according to this comment, things are much easier to set up for non-default branches. So GitHub not raising alerts for dependencies in non-default branches is just a limitation by GitHub, nothing more.
This is not an alternative. Just by looking at the response schema of the review api, I can see that the So the review action/api does not cover:
So the dependency review api is of no use for what I want to achieve. What I want to achieve is to be able to get notified by GitHub for vulnerabilities in our stable, non-default branches. Either when openend a PR or when running scheduled - by running a scheduled job in the default branch, checking out the stable branch, running sbt-dependency-submission,... because, like written above, we can not even set up scheduled workflows ootb for non-default branches. This way we can run dependency checks for all our relevant branches every night and get notified immediately when a new vulnerability comes up.
Hmm.. I think I realize now what you wanted to tell me with this sentence... Did you mean that, with this PR, I kind of replicated the functionality of the dependency review api, which you assumed was availabile for private repos only?
My PR just makes use of the submission api. I just make the api believe the dependencies I send to it are from the main (default) branch, so it will process them. That's basically all. By doing that I am not bypassing any GitHub restriction. Maybe you misunderstood the intention of this PR? |
|
Referencing relevant discussion (kinda note to myself):
|
|
(side note: found, what I would say a bug, in GitHub security alerts: https://github.com/orgs/community/discussions/154281) |
These inputs do not change how dependencies are processed. They only override certain attributes just before the JSON file is submitted.
By allowing these settings to be overridden, we can implement a workaround to submit dependencies from any branch and have them processed by GitHub - including receiving alerts for them - not just the main branch, which is currently the only officially supported branch.