On Tue, Mar 10, 2026 at 12:28 PM Christopher <[email protected]> wrote:
> I think it's probably sufficient to just enable the GitHub code > scanning and dependabot PRs. That's what other projects do. It's > pretty easy to review and merge right from the interface, and it helps > stay on top of these. > Sounds reasonable. Which code scanner do they use? when I attempt to turn code scanning on it gives me a list of options. I also noticed that osv-scanner is an option: https://github.com/apache/zookeeper/actions/new?category=security&query=osv Patrick > > On Tue, Mar 10, 2026 at 3:08 PM Patrick Hunt <[email protected]> wrote: > > > > On Tue, Mar 10, 2026 at 10:18 AM Patrick Hunt <[email protected]> wrote: > > > > > > > > > > > On Mon, Mar 9, 2026 at 2:08 PM Patrick Hunt <[email protected]> wrote: > > > > > >> > > >> > > >> On Mon, Mar 9, 2026 at 2:02 PM Enrico Olivelli <[email protected]> > > >> wrote: > > >> > > >>> Il Lun 9 Mar 2026, 17:27 Patrick Hunt <[email protected]> ha scritto: > > >>> > > >>> > I noticed that there are GHSA reports which don't always have CVEs > > >>> > assigned. We have the OWASP scanner scanning for CVEs as part of > our > > >>> > Jenkins infra, however not GHSA. Should we add this? > > >>> > > > >>> > There's a tool "osv-scanner" which I ran locally on my machine (not > > >>> sure if > > >>> > this is running right but ...), it reported the following for > trunk.... > > >>> > > > >>> > > >>> > > >>> Is it possible to run it on Github actions, instead of Jenkins? > > >>> > > >>> In any case I am +1 to add new popular scanners, because having their > > >>> reports can help us see the problems as soon as they hit users > > >>> > > >>> > > >> I notice we don't have github.com native security scanning active, > > >> > > >> >Code scanning alerts • Needs setup > > >> >Automatically detect common vulnerability and coding errors > > >> > > >> perhaps that would be sufficient? Maybe we should try that first? > Anyone > > >> know why we are not using it?/any reason not to just turn it on? Any > reason > > >> not to turn it on? > > >> > > >> > > > What's our policy - if dependabot submits a PR, is that something a > > > committer can "+1" and commit? (I assume yes?) Via the github PR > process? > > > (eg merge/commit/close via the github UI) > > > > > > > > I can also try this if there are no objections and seems to align with > your > > feedback @Enrico Olivelli <[email protected]> > > > > https://google.github.io/osv-scanner/github-action/ > > > > OSV-Scanner is available as a CI/CD Action. We currently offer two > > different reusable workflows for Github: > > > > A workflow that triggers a scan with each pull request and will only > report > > new vulnerabilities introduced through the pull request. > > A workflow that performs a full vulnerability scan, which can be > configured > > to scan on pushes or a regular schedule. The full vulnerability scan can > > also be configured to run on release to prevent releasing with known > > vulnerabilities in dependencies. > > > > > > > > > Patrick > > > > > > > > >> Patrick > > >> > > >> > > >>> Enrico > > >>> > > >>> > > >>> > Regards, > > >>> > > > >>> > Patrick > > >>> > > > >>> > ..... <clip general logs> .... > > >>> > End status: 536 dirs visited, 2308 inodes visited, 21 Extract > calls, > > >>> > 3.877381125s elapsed, 3.877341s wall time > > >>> > Filtered 3 local/unscannable package/s from the scan. > > >>> > Total 5 packages affected by 10 known vulnerabilities (0 Critical, > 3 > > >>> High, > > >>> > 4 Medium, 3 Low, 0 Unknown) from 1 ecosystem. > > >>> > 10 vulnerabilities can be fixed. > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > ╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────────────────┬─────────┬───────────────┬──────────────────────────────────────────────────────╮ > > >>> > │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE > > >>> > │ VERSION │ FIXED VERSION │ SOURCE > > >>> > │ > > >>> > > > >>> > > > >>> > ├─────────────────────────────────────┼──────┼───────────┼───────────────────────────────────────┼─────────┼───────────────┼──────────────────────────────────────────────────────┤ > > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > > >>> > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > > >>> > zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml │ > > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > > >>> > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > > >>> > zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │ > > >>> > │ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9 │ Maven │ > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.3.16 │ > > >>> > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > > >>> > │ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8 │ Maven │ > > >>> > ch.qos.logback:logback-core │ 1.3.15 │ 1.5.25 │ > > >>> > zookeeper-contrib/zookeeper-contrib-rest/pom.xml │ > > >>> > │ https://osv.dev/GHSA-cfxw-4h78-h7fw │ 8.9 │ Maven │ > > >>> dnsjava:dnsjava > > >>> > │ 3.5.1 │ 3.6.0 │ > > >>> zookeeper-server/pom.xml > > >>> > │ > > >>> > │ https://osv.dev/GHSA-crjg-w57m-rqqf │ 7.7 │ Maven │ > > >>> dnsjava:dnsjava > > >>> > │ 3.5.1 │ 3.6.0 │ > > >>> zookeeper-server/pom.xml > > >>> > │ > > >>> > │ https://osv.dev/GHSA-mmwx-rj87-vfgr │ 7.1 │ Maven │ > > >>> dnsjava:dnsjava > > >>> > │ 3.5.1 │ 3.6.0 │ > > >>> zookeeper-server/pom.xml > > >>> > │ > > >>> > │ https://osv.dev/GHSA-4cx2-fc23-5wg6 │ 6.3 │ Maven │ > > >>> > org.bouncycastle:bcpkix-jdk18on (dev) │ 1.78 │ 1.79 │ > > >>> > zookeeper-server/pom.xml │ > > >>> > > > >>> > > > >>> > ╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴─────────┴───────────────┴──────────────────────────────────────────────────────╯ > > >>> > > > >>> > > >> >
