I think it's probably sufficient to just enable the GitHub code scanning and dependabot PRs. That's what other projects do. It's pretty easy to review and merge right from the interface, and it helps stay on top of these.
On Tue, Mar 10, 2026 at 3:08 PM Patrick Hunt <[email protected]> wrote: > > On Tue, Mar 10, 2026 at 10:18 AM Patrick Hunt <[email protected]> wrote: > > > > > > > On Mon, Mar 9, 2026 at 2:08 PM Patrick Hunt <[email protected]> wrote: > > > >> > >> > >> On Mon, Mar 9, 2026 at 2:02 PM Enrico Olivelli <[email protected]> > >> wrote: > >> > >>> Il Lun 9 Mar 2026, 17:27 Patrick Hunt <[email protected]> ha scritto: > >>> > >>> > I noticed that there are GHSA reports which don't always have CVEs > >>> > assigned. We have the OWASP scanner scanning for CVEs as part of our > >>> > Jenkins infra, however not GHSA. Should we add this? > >>> > > >>> > There's a tool "osv-scanner" which I ran locally on my machine (not > >>> sure if > >>> > this is running right but ...), it reported the following for trunk.... > >>> > > >>> > >>> > >>> Is it possible to run it on Github actions, instead of Jenkins? > >>> > >>> In any case I am +1 to add new popular scanners, because having their > >>> reports can help us see the problems as soon as they hit users > >>> > >>> > >> I notice we don't have github.com native security scanning active, > >> > >> >Code scanning alerts • Needs setup > >> >Automatically detect common vulnerability and coding errors > >> > >> perhaps that would be sufficient? Maybe we should try that first? Anyone > >> know why we are not using it?/any reason not to just turn it on? Any reason > >> not to turn it on? > >> > >> > > What's our policy - if dependabot submits a PR, is that something a > > committer can "+1" and commit? (I assume yes?) Via the github PR process? > > (eg merge/commit/close via the github UI) > > > > > I can also try this if there are no objections and seems to align with your > feedback @Enrico Olivelli <[email protected]> > > https://google.github.io/osv-scanner/github-action/ > > OSV-Scanner is available as a CI/CD Action. We currently offer two > different reusable workflows for Github: > > A workflow that triggers a scan with each pull request and will only report > new vulnerabilities introduced through the pull request. > A workflow that performs a full vulnerability scan, which can be configured > to scan on pushes or a regular schedule. The full vulnerability scan can > also be configured to run on release to prevent releasing with known > vulnerabilities in dependencies. > > > > > Patrick > > > > > >> Patrick > >> > >> > >>> Enrico > >>> > >>> > >>> > Regards, > >>> > > >>> > Patrick > >>> > > >>> > ..... <clip general logs> .... > >>> > End status: 536 dirs visited, 2308 inodes visited, 21 Extract calls, > >>> > 3.877381125s elapsed, 3.877341s wall time > >>> > Filtered 3 local/unscannable package/s from the scan. > >>> > Total 5 packages affected by 10 known vulnerabilities (0 Critical, 3 > >>> High, > >>> > 4 Medium, 3 Low, 0 Unknown) from 1 ecosystem. > >>> > 10 vulnerabilities can be fixed. > >>> > > >>> > > >>> > > >>> > > >>> ╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────────────────┬─────────┬───────────────┬──────────────────────────────────────────────────────╮ > >>> > │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE > >>> > │ VERSION │ FIXED VERSION │ SOURCE > >>> > │ > >>> > > >>> > > >>> ├─────────────────────────────────────┼──────┼───────────┼───────────────────────────────────────┼─────────┼───────────────┼──────────────────────────────────────────────────────┤ > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > >>> > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > >>> > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > >>> > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > >>> > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > >>> > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > >>> > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > >>> > │ https://osv.dev/GHSA-cfxw-4h78-h7fw │ 8.9 │ Maven │ > >>> dnsjava:dnsjava > >>> > │ 3.5.1 │ 3.6.0 │ > >>> zookeeper-server/pom.xml > >>> > │ > >>> > │ https://osv.dev/GHSA-crjg-w57m-rqqf │ 7.7 │ Maven │ > >>> dnsjava:dnsjava > >>> > │ 3.5.1 │ 3.6.0 │ > >>> zookeeper-server/pom.xml > >>> > │ > >>> > │ https://osv.dev/GHSA-mmwx-rj87-vfgr │ 7.1 │ Maven │ > >>> dnsjava:dnsjava > >>> > │ 3.5.1 │ 3.6.0 │ > >>> zookeeper-server/pom.xml > >>> > │ > >>> > │ https://osv.dev/GHSA-4cx2-fc23-5wg6 │ 6.3 │ Maven │ > >>> > org.bouncycastle:bcpkix-jdk18on (dev) │ 1.78 │ 1.79 │ > >>> > zookeeper-server/pom.xml │ > >>> > > >>> > > >>> ╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴─────────┴───────────────┴──────────────────────────────────────────────────────╯ > >>> > > >>> > >>
