Give your feedback about the osvVulnerabilityAlerts
experimental feature
#20542
Replies: 34 comments 89 replies
-
It's a really cool feature! Especially when adding a label like 'security' it gives you a nice cross repository overview. One improvement that would be welcome is the ability to have more control over major dependency updates and the 'dependencyDashboardApproval' flag. Right now, this configuration has no effect when fixedVersion reflects a major upgrade "major": {
"dependencyDashboardApproval": true
} Example issue: GHSA-r8f7-9pfq-mjmv Another improvement / feature request. Would it be possible to reflect the security risk in the PR title? Something like a Low/Medium/High/Critical suffix? |
Beta Was this translation helpful? Give feedback.
-
We enabled this feature yesterday and it's really really cool!
+1 - this would be an great enhancement! |
Beta Was this translation helpful? Give feedback.
-
i don't like the idea to enable approval for security updates. to easy to miss those updates. |
Beta Was this translation helpful? Give feedback.
-
That does make sense thinking about it. My first reaction was to initially disable it as some developers where surprised. Seeing the Maybe related. Could it be that custom packages rules where |
Beta Was this translation helpful? Give feedback.
-
Not sure about this. Depending on who reports vulns, initially they are often overrated (esp. when found via Bug Bounty programs). Over time, GHSA and other sources react on community feedback, adapt the score and renovate will silently also update the PR description. Changing the PR title would cause additional noise by renovate closing and reopeing PRs. |
Beta Was this translation helpful? Give feedback.
-
Relevant to some of the discussions: renovate/lib/config/options/index.ts Lines 1653 to 1672 in e87af92 I'm not aware of anyone modifying that in the past, but it was intended to be possible. It says github-only there, but I think that's only used for documentation. |
Beta Was this translation helpful? Give feedback.
-
Only if the first PR was closed. In this case you'd get a replacement with the new severity. Otherwise, you would see the title updated in-placed without closing/opening. |
Beta Was this translation helpful? Give feedback.
-
saw a strange security PR autoclose |
Beta Was this translation helpful? Give feedback.
-
@viceice, you've hit an edge case that occurs with only 0.58% (83 / 14311) of OSV vulnerabilities (congrats on that 😉):
PR #20512 intends to corrects this. Note that renovate still depends on semantically valid versions for comparisons. Hence, it will still not flag GHSA-gxr4-xjj5-5px2 for jquery 2.2.4, although affected. IMHO such cases should rather be corrected in the OSV advisory itself (1.2 -> 1.2.0), rather than in renovate by trying workarounds like semver-coerced versioning. |
Beta Was this translation helpful? Give feedback.
-
@Churro thanks for finding the cause ❤️ can you upstream the version fix too? |
Beta Was this translation helpful? Give feedback.
-
I really love the idea of this vulnerability alert. We also had this issue with flapping merge requests in hosted gitlab. All merge requests created by this feature were autoclosed several times. Since we have just started using renovate on that repository it didn't bother that much. I noticed it though. Another thing I noticed was the github ratelimit in this case. We authenticate to github for the release notes already with a personal token, but it seems that toen is not used for these alert.
Could this be the reason for the flip flopping? If yes, how can I make renovate use the github token for these calls? |
Beta Was this translation helpful? Give feedback.
-
@vquie, flapping PRs are most likely related to hitting the API limit. This has been addressed with renovatebot/osv-offline#230, which found its way into renovate 34.142.0. Can you please check if the issue is gone after updating renovate? |
Beta Was this translation helpful? Give feedback.
-
Thanks @Churro . I just updated to the latest helm release and will monitor it. |
Beta Was this translation helpful? Give feedback.
-
Currently, renovate raises no vulnerability fix PRs for dependencies that are disabled explicitly or by using a preset like Proposition: Add an opt-in config flag (= disabled by default) to Any thoughts on that? Let me know if this is something you'd also find useful 👍 or not 👎 |
Beta Was this translation helpful? Give feedback.
-
Not sure if it's really an issue but I've observed the following message in logs for a project with NPM manager:
Is the unsupported version because of the |
Beta Was this translation helpful? Give feedback.
-
What does it mean to skip an OSV event?
The osv.dev cli tool seems to work fine locally with finding the vulnerabilities. |
Beta Was this translation helpful? Give feedback.
-
Does this feature support GitLab? |
Beta Was this translation helpful? Give feedback.
-
Is there a way to group by vulnerability severity? Or create a group with just vulnerabilities? Example: Many places have a policy of "address critical vulnerabilities within X time period". It would be very beneficial to be able to group updates by vulnerability severity to aid in triage and prioritization. |
Beta Was this translation helpful? Give feedback.
-
Hello! |
Beta Was this translation helpful? Give feedback.
-
The feature is really cool 🥳 One thing that could be interesting given many tools use this figure as a KPI would be to also support indirect dependencies for npm projects (dependabot does that). In other words, support vulnerabilities coming from indirect dependencies listed within lock files and then be able to bump whatever needed to drop that potential issue would be awesome (maybe not by default but at least provide one way to support that). |
Beta Was this translation helpful? Give feedback.
-
We've recently activated this feature for our project using maven and npm. Since we rely a lot on spring-boot-starters and usually transitive dependencies are vulnerable, it would be beneficial for us if transitive dependencies for maven are supported. Are there any plans to support this in the future? |
Beta Was this translation helpful? Give feedback.
-
One thing I have not yet fully understood: From the website it looks like there will be more security PRs? Also I head to read this thread to find out that you can combine those two options to have more control. I think a hint about that should be part of the documentation. On the feature side I think it would be really benefitial to be able to filter out certain "levels" but it looks like there is no such thing in the OSV schema, so maybe that's why it's not possible? |
Beta Was this translation helpful? Give feedback.
-
Personally, I wanted to use |
Beta Was this translation helpful? Give feedback.
-
Hello, is this correct configuration for my use case? I want gitlab merge requests to be automatically created only for major updates or vulnerability fixes.
|
Beta Was this translation helpful? Give feedback.
-
We are using AWS CodeArtifact with an upstream repo of PyPI, none of the vulnerabilities are marked in our renovate pull requests (repos that directly use pypi work correctly), is there a way to tell the OSV checker to check the packages in our CodeArtifact repo against the osv database? |
Beta Was this translation helpful? Give feedback.
-
We are seeing a weird behavior with
|
Beta Was this translation helpful? Give feedback.
-
Hi, we saw that the osv alerts are integrated with maven, but they don't suggest patches for the same dependencies that are requested by gradle. We would be willing to implement this feature, since there's already a way of updating the dependencies of gradle packages. We're thinking it's just a matter of using the mvn vulnerabilities from osv but checking the build.gradle file. If you think it makes sense, I can create an issue. Thanks! |
Beta Was this translation helpful? Give feedback.
-
I noticed another peculiarity... It seems that when a package in the Pipfile does not match the case of the package in the OSV, a security update is not created (with the So the Pipfile has: In the log of renovate runs I see (note lowercase pillow):
When it outputs the json for the update it outputs this for Pillow (note depName mixedcase and no branch with
Let me know if I gave you enough information or if you need me to give you any more details... Geoff |
Beta Was this translation helpful? Give feedback.
-
Would something like https://github.com/AppThreat/vulnerability-db positively broaden the available offline data for vulnerability analysis? |
Beta Was this translation helpful? Give feedback.
-
Hey, it's not quite clear to me from the docs whether the options under |
Beta Was this translation helpful? Give feedback.
-
Tell us how you like the new
osvVulnerabilityAlerts
experimental feature. What works for you, what doesn't work for you? Do you see anything we could improve?Let us know what you think! 😉
Beta Was this translation helpful? Give feedback.
All reactions