Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot updates (via PRs) are paused #5481

Closed
14 tasks
achave11-ucsc opened this issue Aug 23, 2023 · 3 comments
Closed
14 tasks

Dependabot updates (via PRs) are paused #5481

achave11-ucsc opened this issue Aug 23, 2023 · 3 comments
Assignees
@achave11-ucsc
Labels
+ [priority] High bug [type] A defect preventing use of the system as specified infra [subject] Project infrastructure like CI/CD, build and deployment scripts no demo [process] Not to be demonstrated at the end of the sprint orange [process] Done by the Azul team

Comments

@achave11-ucsc
Copy link
Member

… causing visibility issues, since our daily notification to the operator requests to check on open PRs from Dependabot and SNYK. When this is paused the updates aren't actively being monitored.

  • Security design review completed; the Resolution of this issue does not
    • … affect authentication; for example:
      • OAuth 2.0 with the application (API or Swagger UI)
      • Authentication of developers with Google Cloud APIs
      • Authentication of developers with AWS APIs
      • Authentication with a GitLab instance in the system
      • Password and 2FA authentication with GitHub
      • API access token authentication with GitHub
      • Authentication with
    • … affect the permissions of internal users like access to
      • Cloud resources on AWS and GCP
      • GitLab repositories, projects and groups, administration
      • an EC2 instance via SSH
      • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
    • … affect the permissions of external users like access to
      • TDR snapshots
    • … affect permissions of service or bot accounts
      • Cloud resources on AWS and GCP
    • … affect audit logging in the system, like
      • adding, removing or changing a log message that represents an auditable event
      • changing the routing of log messages through the system
    • … affect monitoring of the system
    • … introduce a new software dependency like
      • Python packages on PYPI
      • Command-line utilities
      • Docker images
      • Terraform providers
    • … add an interface that exposes sensitive or confidential data at the security boundary
    • … affect the encryption of data at rest
    • … require persistence of sensitive or confidential data that might require encryption at rest
    • … require unencrypted transmission of data within the security boundary
    • … affect the network security layer; for example by
      • modifying, adding or removing firewall rules
      • modifying, adding or removing security groups
      • changing or adding a port a service, proxy or load balancer listens on
  • Documentation on any unchecked boxes is provided in comments below
@achave11-ucsc achave11-ucsc added the orange [process] Done by the Azul team label Aug 23, 2023
@achave11-ucsc
Copy link
Member Author

This is preventable, simply reusing the branch created by Dependabot and adding the other Azul requirements as an additional commit would keep Dependabot engaged.

achave11-ucsc added a commit that referenced this issue Aug 23, 2023
@achave11-ucsc
[R] Ran requirements_update and wake Dependabot (#5481)
1ae00df
@achave11-ucsc
Copy link
Member Author

https://github.blog/2023-01-12-a-smarter-quieter-dependabot/

@achave11-ucsc achave11-ucsc mentioned this issue Aug 23, 2023
Merged
99 tasks
@achave11-ucsc achave11-ucsc self-assigned this Aug 23, 2023
@achave11-ucsc achave11-ucsc added bug [type] A defect preventing use of the system as specified infra [subject] Project infrastructure like CI/CD, build and deployment scripts + [priority] High and removed bug [type] A defect preventing use of the system as specified labels Aug 23, 2023
@nadove-ucsc nadove-ucsc added the demo [process] To be demonstrated at the end of the sprint label Aug 24, 2023
achave11-ucsc added a commit that referenced this issue Aug 24, 2023
@achave11-ucsc
[R] Ran requirements_update and wake Dependabot (#5481)
c748000
achave11-ucsc added a commit that referenced this issue Aug 24, 2023
@achave11-ucsc
[R] Ran requirements_update and wake Dependabot (#5481)
e11d68a
@nadove-ucsc nadove-ucsc added no demo [process] Not to be demonstrated at the end of the sprint and removed demo [process] To be demonstrated at the end of the sprint labels Aug 24, 2023
@nadove-ucsc
Copy link
Contributor

The existence of PR #5482 serves as the demo.

achave11-ucsc added a commit that referenced this issue Aug 24, 2023
@achave11-ucsc
[R] Bump gitpython from 3.1.30 to 3.1.32 and wake Dependabot (#5481, PR
7fb38a6 
#5482)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@achave11-ucsc achave11-ucsc

Labels
+ [priority] High bug [type] A defect preventing use of the system as specified infra [subject] Project infrastructure like CI/CD, build and deployment scripts no demo [process] Not to be demonstrated at the end of the sprint orange [process] Done by the Azul team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hannes-ucsc @achave11-ucsc @nadove-ucsc