Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security update doesn't catch vulnerable packs

See original GitHub issue

I’m trying trying to run Dependabot only for security updates, but looks like it doesn’t catch vulnerable packs. As example I used simple-git v3.5.0 (Snyk: simple-gi ) - which has been reported in my WhiteSource scan. To force security update I used: open-pull-requests-limit: 0 so I can see in the console:

Pull requests limit is set to zero. Security only updates are implied.
...
Checking if simple-git 3.5.0 is vulnerable
simple-git 3.5.0 i**s not vulnerable**

Any explanation why it doesn’t see this pack as vulnerable? Is there any other parameter that should be provided to support this type of update?

Used latest vesion of extension (0.14.1.420).

Issue Analytics

  • State:closed
  • Created 8 months ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
mburumaxwellcommented, Jan 26, 2023

@BeataKr Checking for vulnerabilities in the GitHub GraphQL API requires authentication hence a GitHub access token must be supplied. This can only be done in the task using either gitHubConnection or gitHubAccessToken input.

For example:

steps:
- task: dependabot@1
  inputs:
    gitHubAccessToken: $(MyVeryPrivateGitHubPAT)

Create MyVeryPrivateGitHubPAT as a variable in the pipeline.

This should be a classic PAT with public_repo permission.

0reactions
mburumaxwellcommented, Jan 26, 2023

You are right. Having gitHubAccessToken resolves the problem - would be nice to see such information in documentation (regarding to security updates).

I’m glad your issue is resolved. You could contribute documentation similar to #483?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Is it possible to limit yum so that it lists or installs only ...
I've got an interesting requirement in that a customer wants to only allow updates of packages with attached security errata (to limit ...
Read more >
I'm getting the message: "The following security updates ...
package management - I'm getting the message: "The following security updates require Ubuntu Pro with 'esm-apps' enabled" when updating Ubuntu ...
Read more >
Description of the security update for SharePoint Server ...
This security update resolves a Microsoft SharePoint Server information disclosure vulnerability and a Microsoft SharePoint Server spoofing ...
Read more >
Auditing package dependencies for security vulnerabilities
If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package dependency tree. Since the...
Read more >
From KBs to CVEs: Understanding the Relationships ...
Security vulnerabilities are regularly published by the dozens, and software vendors are in a constant race to issue updates that patch or ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

include packs from optionalDependencies in scan

Next page

[🚧] Dependabot 0.14 problem with credentials for private nuget feed in azure devops pipeline