WIP: Re-enable Dependabot security updates #1071
Conversation
GitHub automatically opts all qualifying repos in for security updates, but this gets overwritten by the presence of a `dependabot.yml` file, which we have in most repos. We’ll therefore need to edit the Dependabot config to fix security related PRs not being raised. It’s not immediately clear from the docs exactly what’s needed to opt in, but we believe our use of an allow-list may be the issue. We get some value from configuring Dependabot to raise fewer PRs (i.e. only update the dependencies we care about), but we need security updates for _all_ dependencies, so this commit is an attempt to write a rule that allows security PRs but won’t affect the rest of our config. See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file Trello: https://trello.com/c/nqliwwxV/2952-investigate-how-to-fix-dependabot-not-raising-security-prs
|
Looks like there's no way to validate this config until it's on Unless I change the repo's default branch to I'll do that now, and change it back after trying a Dependabot run. |
|
Yeah, that's not allowed...
Error message: |
We think Brakeman is only raising security PRs for direct dependencies, so if a security vulnerability exists in a subdependency, we're not getting PRs. This commit should fix that.
Bumps [brakeman](https://github.com/presidentbeef/brakeman) from 5.2.1 to 5.2.3. - [Release notes](https://github.com/presidentbeef/brakeman/releases) - [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md) - [Commits](presidentbeef/brakeman@v5.2.1...v5.2.3) --- updated-dependencies: - dependency-name: brakeman dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [gds-api-adapters](https://github.com/alphagov/gds-api-adapters) from 81.0.3 to 81.0.4. - [Release notes](https://github.com/alphagov/gds-api-adapters/releases) - [Changelog](https://github.com/alphagov/gds-api-adapters/blob/main/CHANGELOG.md) - [Commits](alphagov/gds-api-adapters@v81.0.3...v81.0.4) --- updated-dependencies: - dependency-name: gds-api-adapters dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
This only defines whether we want to get PRs for subdependencies of brakeman.
According to [the docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#target-branch), Dependabot will ignore the configs in dependabot.yml for security PRs, if a target-branch has been set to something other than the default branch. I'm hoping to accomplish two things with these changes: 1) Allow security PRs through again (even if they are for dependencies not on the `allow` list) 2) Have a way of distinguishing between security and non security related PRs (by the absence of the new `not-security` label). Apart from the verbosity of the config, this does cause one new issue: what to do with the `latest-dependencies` branch (we'll definitely have to automate merging that to `main`, or at least automate opening a PR to `main`). We'll also need to figure out what happens if the `latest-dependencies` branch has not been created yet.
|
Nice - so we do need to manually create the branch first.
|
This was fixed in #1064. An ActiveRecord vulnerability existed which was fixed by a patch in Rails. By removing it, I'm hoping Dependabot will raise a PR to patch Rails again. This time, however, I've also removed Rails (and related gems) from the allow-list, which previously would have stopped the security PR from being raised. Now that we have the `target-branch` workaround, I'm hoping the PR will be raised. I will need to recreate the `latest-dependencies` branch from this branch first, and then trigger a Dependabot scan.
|
Triggered a Dependabot scan: https://github.com/alphagov/content-data-admin/network/updates/433990960 The Dependabot security PRs presumably are raised through some other process, e.g. a nightly scan. I can't see anything to trigger a security scan in https://github.com/alphagov/content-data-admin/security - maybe if we leave it overnight it will do that? Or maybe security PRs are only raised for recently declared vulnerabilities? |
|
I'm afraid at this point I may have to call in our good ex colleague, @issyl0! 👋 Long time no speak! I believe you're on the Dependabot team these days...? In RFC-126, we arrived at a Dependabot configuration that cut down the number of PRs raised, as hoped. An unexpected consequence of that is we've stopped receiving security updates for dependencies unless they're explicitly listed 😬 There was a recent CVE-2022-32224 in Active Record, which GitHub reviewed and categorised as High Severity, but Dependabot didn't open any PRs to bump it to the patched version. Running the Dependabot scanner on the email-alert-api repo, we can see: Dependabot did eventually raise a PR bumping Rails, as that is allowed in the config. We ended up manually raising a number of PRs to bump ActiveRecord in all of our repositories. Is there a way of enabling security-related updates for all dependencies & subdependencies, whilst still retaining the opinionated configs we have for general version updates? I was really hoping for a I've found https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates, but that's dedicated mostly to enabling security updates in the repo settings (which we've done). The Any suggestions would be gratefully received. 🙏 Thanks in advance! |
|
Hello! I now work on the Code Scanning functionality, but luckily for you the wider Advanced Security group that I'm part of does include Dependabot and some very kind colleagues helped me out here. 🙇🏻 It would appear that your use of TL;DR: You need to switch to using Thinking back to the size of the Gemfiles and the amount of lesser cared about gems and the maintenance of these lists across your repos vs. the smaller allowlist that you've got so far, I would probably suggest scripting the generation of the ignore lists, such that everything not in the list of n gems that you care about gets ignored. But you do you! ❤️ |
|
Thanks @issyl0! 🙌 |
Bump brakeman from 5.2.1 to 5.2.3
…pters-81.0.4 Bump gds-api-adapters from 81.0.3 to 81.0.4
GitHub automatically opts all qualifying repos in for security
updates, but this gets overwritten by the presence of a
dependabot.ymlfile, which we have in most repos. We’lltherefore need to edit the Dependabot config to fix security
related PRs not being raised.
It’s not immediately clear from the docs exactly what’s needed
to opt in, but we believe our use of an allow-list may be the
issue.
We get some value from configuring Dependabot to raise fewer PRs
(i.e. only update the dependencies we care about), but we need
security updates for all dependencies, so this PR is an
attempt to arrive at a configuration that allows security PRs but that
doesn't break our existing behaviour.
See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file
Trello: https://trello.com/c/nqliwwxV/2952-investigate-how-to-fix-dependabot-not-raising-security-prs