Consider adding vulnerability detection to PR checks in SBRP #4577
Labels
area-sbrp
Source build reference packages
Comments
|
See also dotnet/arcade#15019 |
ViktorHofer
added a commit
to dotnet/source-build-reference-packages
that referenced
this issue
Aug 26, 2024
Contributes to dotnet/arcade#15019 Fixes dotnet/source-build#4577
MichaelSimons
added
area-prebuilts
|
Related to #3559 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In this PR comment, it was highlighted that we might accidentally introduce (or re-introduce) vulnerable packages into SBRP without being aware of potential vulnerabilities until we check for them internally.
Given the complexity of removing certain packages in SBRP (adding a new package, waiting for rebootstrap, removing the old package, updating self-reference), it's crucial to avoid adding vulnerable packages whenever possible. Implementing a validation check in PRs to detect vulnerable packages would be beneficial. We need a solution that is easy to use and does not require submitting reports to an internal system. According to this blog post, the dotnet CLI can detect vulnerabilities using the command dotnet list package --vulnerable in projects, so we might be able to leverage that.
The other thing to consider is whether we'd want to detect already-checked-in packages for vulnerabilities, or if we'd rather only check packages being introduced in the PR.
The text was updated successfully, but these errors were encountered: