On Mon, May 3, 2021 at 10:24 PM Oleg Nenashev <o.v.nenas...@gmail.com> wrote:
> >> Would you like to participate as a contributor? > > What does this entail? > > That's a good question, to be seen. As a part of the pilot project we will > need: > > - Try out LFX Security 2.0 and configure it for some of our projects > - Explore options for filtering out false positives, find a solution > for the Jenkins project taking its scale and needs > - Try out other features like license analysis > - Document the implementation for other maintainers > - Keep evaluation notes and share feedback with Snyk/LFX Security. If > we experience blockers, multiple iterations might be required > > Note from the discussion: It is unlikely that we will be able to use the > standard Snyk's GitHub integration via GitHub App. We will likely need to > integrate scanning submissions into our Jenkins pipelines (there is a Snyk > plugin FTR) or to use GitHub actions. Reason - GitHub Integration cannot > handle custom Bills of Materials which will be supported by the LFX > Security 2.0 API (actually, by the Snyk backend). > Right, that's what I mentioned further down. I don't see CVE ignore lists having satisfactory results for plugin maintainers as soon as plugin/core dependencies are scanned. I'd like to contribute to this effort, unfortunately I don't know yet how much time I can actually commit to this. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJUKYidTx_ZF%2BHb5p3gihjFgr59dqix9q53vRZCnLCY0g%40mail.gmail.com.
