Kubeapps: Decide how to perform a periodic review of the project's dependencies

Created on 12 Jan 2021  路  7Comments  路  Source: kubeapps/kubeapps

As already pointed out in https://github.com/kubeapps/kubeapps/issues/2228 and https://github.com/kubeapps/kubeapps/pull/2224, we should perform a periodic analysis of Kubeapps' dependencies in order to be aware of any vulnerability or deprecation.

Currently, the process of how to update deps is unclear (besides some attempts to update it, e.g., https://github.com/kubeapps/kubeapps/pull/2231).
I personally think the process is twofold:

  • [x] Add an automatic dependency scanner. There exist solutions, including but not limited to, such as Snyk or Trivy that perform this task.
  • [x] Add an automatic bot to bump up the versions.
  • [x] Update the docs with a consistent process that includes:

    1. when we should update the deps (each version increase? when a vulnerability with severity>=medium appears?, each time a new version is published? Note that dependabot can be configured for bumping up versions periodically. (example here: https://github.com/antgamdia/kubeapps/blob/master/.github/dependabot.yml)

    2. which deps should be updated (e.g., in releases, bump up minor/patch, weekly check security alerts and merge PRs)

    3. how to proceed when the version bump implies changes in the code

    4. in which cases we should ignore a security warning (e.g., a vulnerable dep, with no current updates but only used in build-time)

This issue is just for us to add our comments and to reach an agreement on what to do regarding dependencies.

sizS

All 7 comments

As suggested in offline discussions, here is a very initial evaluation of both Snyk and Trivy tools:

https://via.vmw.com/2021-kubeapps-deps-tool

If you prefer to move there the discussion on how we plan to update deps (in general, not regarding security updates) , I'm also ok with that.

Regarding the idea of how to keep our deps up to date, I'd start by setting up Dependabot properly. Now it is only alerting about (some) security updates, but it is much more powerful. It is integrated within Github and it will just send PRs. WDYT?
https://docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates

Sounds good. Regarding the security report, I am okay using snyk.

Snyk added! Let's see how it behaves.
Also, I've noticed that it also check for general upgrades [1], so let's hold the Dependabot config for a while then.

[1] https://support.snyk.io/hc/en-us/articles/360006581898-Upgrading-dependencies-with-automatic-PRs

Mmm, it seems Snyk isn't generating these PRs. I've set Dependabot up in my fork and see how it looks like:

image

The config is straightforward: https://github.com/antgamdia/kubeapps/blob/master/.github/dependabot.yml

WDYT?

I'm worried about how much extra work this is going to cause but I am fine giving it a try.

Fine with me - it's doing work for us that we'd otherwise have to do. If it's as simple as clicking Merge when tests have passed, I'm all for it :)

Was this page helpful?
0 / 5 - 0 ratings