From 7b468a04f2dafd00c4eb6daa97528f9581bec106 Mon Sep 17 00:00:00 2001 From: Hallgeir Holien Date: Thu, 20 Jan 2022 11:06:53 +0100 Subject: [PATCH 1/2] Dependabot config file link It seems like dependabot.com is gone and the documentation of configuration file has now moved to https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates --- docs/checks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/checks.md b/docs/checks.md index c45b2c4ced9..f775be66903 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -291,7 +291,7 @@ The highest score is awarded when all workflows avoid the dangerous code pattern Risk: `High` (possibly vulnerable to attacks on known flaws) This check tries to determine if the project uses a dependency update tool, -specifically [dependabot](https://dependabot.com/docs/config-file/) or +specifically [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or [renovatebot](https://docs.renovatebot.com/configuration-options/). Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. These tools automate the process of updating dependencies by scanning for @@ -309,7 +309,7 @@ low score is therefore not a definitive indication that the project is at risk. **Remediation steps** -- Signup for automatic dependency updates with [dependabot](https://dependabot.com/docs/config-file/) or [renovatebot](https://docs.renovatebot.com/configuration-options/) and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects maintaining stable forks should evaluate whether this behavior is satisfactory before turning it on. +- Signup for automatic dependency updates with [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or [renovatebot](https://docs.renovatebot.com/configuration-options/) and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects maintaining stable forks should evaluate whether this behavior is satisfactory before turning it on. ## Fuzzing From 68ec174cae5995225abcc2d3fb2fb2a3f6bd57b9 Mon Sep 17 00:00:00 2001 From: Hallgeir Holien Date: Fri, 21 Jan 2022 11:33:51 +0100 Subject: [PATCH 2/2] Updated dependabot docs link --- docs/checks/internal/checks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 8ec91450951..cae023fb87d 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -50,7 +50,7 @@ checks: Risk: `High` (possibly vulnerable to attacks on known flaws) This check tries to determine if the project uses a dependency update tool, - specifically [dependabot](https://dependabot.com/docs/config-file/) or + specifically [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or [renovatebot](https://docs.renovatebot.com/configuration-options/). Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. These tools automate the process of updating dependencies by scanning for @@ -69,7 +69,7 @@ checks: remediation: - >- Signup for automatic dependency updates with - [dependabot](https://dependabot.com/docs/config-file/) or + [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or [renovatebot](https://docs.renovatebot.com/configuration-options/) and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can