Closed Bug 1479481 Opened 7 years ago Closed 7 years ago

Enable vulnerability alerts for Renovate

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: openjck, Assigned: hwine)

References

Details

Renovate added a new feature which detects vulnerable dependencies and opens pull requests to upgrade them immediately, even when Renovate is otherwise configured to open pull requests less frequently. For this feature to work, Renovate requires new permissions. It sent an email with the subject line "A GitHub App, Renovate, is requesting updated permissions" which links to a page where the new permissions can be enabled. You may have already done this, but I thought it wouldn't hurt to open bug just in case. I've been looking forward to this feature. Here's a blog post with more info: https://renovatebot.com/blog/github-vulnerability-alerts Thanks!
John -- please provide the following information (I'm not familiar with Renovate) a) is there a way for Renovate users to disable this new feature of auto-PR filing? b) if not, is there a way to disable auto-PR filing entirely? Since GitHub does not provide any way to limit access to issues & PRs, some repository admins are concerned about auto-PR for security issues being a "hey, come attack me" flag. If Renovate doesn't provide such configuration options, we'll want to ensure "concerned repo admins" are informed, and know their options, before we throw the switch. Thanks for filing a bug! Our "typical policy lore" for increased permission requests from Apps is to not grant them until someone asks. Then we can have this discussion.
Flags: needinfo?(jkarahalis)
(In reply to Hal Wine [:hwine] (use NI) from comment #1) > Thanks for filing a bug! Our "typical policy lore" for increased permission > requests from Apps is to not grant them until someone asks. Then we can have > this discussion. Good to know! Happy to help. > a) is there a way for Renovate users to disable this new feature of auto-PR > filing? Yes, Renovate users can apparently disable PRs that mention vulnerabilities by setting this option: { "vulnerabilityAlerts": { "enabled": false } } More info here: https://renovatebot.com/docs/configuration-options/#vulnerabilityalerts > b) if not, is there a way to disable auto-PR filing entirely? Renovate can be completely disabled by setting enabled: false. More info here: https://renovatebot.com/docs/configuration-options/#enabled
Flags: needinfo?(jkarahalis)
Sweet! Let me contact the impacted admins, and give them a week to change their setting (if they want). Then we'll accept the new permissions requested.
Flags: needinfo?(hwine)
Issues opened on all current repositories using Renovate. Cutover date set to 2018-08-08.
Is there a way to also prevent Renovate from accessing vulnerability data?
:marco see comment 2
Flags: needinfo?(hwine)
read only on vulnerability alerts granted
Assignee: nobody → hwine
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Many thanks :-)
(In reply to Hal Wine [:hwine] (use NI, please) from comment #6) > :marco see comment 2 What I meant was not to just disable the feature, but to prevent Renovate from seeing vulnerability alerts altogether.
(In reply to Marco Castelluccio [:marco] from comment #10) > (In reply to Hal Wine [:hwine] (use NI, please) from comment #6) > > :marco see comment 2 > > What I meant was not to just disable the feature, but to prevent Renovate > from seeing vulnerability alerts altogether. I'm not sure what you mean by this. Vulnerability alerts/issues are able to be seen by anyone running `npm audit` (and presumably looking at a web-facing page somewhere), they could check out your code and run it, or just formulate a list of the known vulns, and then look in your package-lock.json etc.
(In reply to Mark Banner (:standard8) from comment #11) > (In reply to Marco Castelluccio [:marco] from comment #10) > > (In reply to Hal Wine [:hwine] (use NI, please) from comment #6) > > > :marco see comment 2 > > > > What I meant was not to just disable the feature, but to prevent Renovate > > from seeing vulnerability alerts altogether. > > I'm not sure what you mean by this. Vulnerability alerts/issues are able to > be seen by anyone running `npm audit` (and presumably looking at a > web-facing page somewhere), they could check out your code and run it, or > just formulate a list of the known vulns, and then look in your > package-lock.json etc. I meant disabling the GitHub permission for Renovate. I know they could do it themselves, but having the data readily available from GitHub is easier.
You need to log in before you can comment on or make changes to this bug.