Using snyk for package vulnerability verification

Tirloni, Giovanni gtirloni at ocadu.ca
Thu Apr 6 12:47:33 UTC 2017 

Hello,

  There was a discussion in the GPII Architecture mailing list that started in Oct 2015 when snyk.io was released and I believe it would beneficial to adopt it for Fluid repositories.

  Here are the relevant threads:

    http://lists.gpii.net/pipermail/architecture/2015-November/thread.html
    http://lists.gpii.net/pipermail/architecture/2017-April/thread.html

  And here's more information about Snyk:

    https://snyk.io/docs/faqs/
    https://snyk.io/plans

  I took the liberty of creating a "Fluid Project" organization in Snyk and invited the Fluid Project's GitHub administrators to it (as I don't have permission to add repositories).

  Enabling Snyk for a repository means:

    * A WebHook will get added to notify snyk.io of new PR and commits
    * A notification will be added to new PRs to identify if they introduce security vulnerabilities (within snyk's scope)
    * The repository will be constantly monitored for new vulnerability

  To clarify, Snyk is not a static code analyzer. It simply inspects dependencies that have known vulnerabilities.

  If there is consensus on adopting this tool, I would like to request that someone with admin privileges to the Fluid Project in GitHub to access Snyk.io and add the repositories.

Regards,
Giovanni


-------- Forwarded Message --------
Subject: 	Re: [Architecture] snyk node package vulnerability checker now live!
Date: 	04/06/2017 04:50 AM
From: 	Tony Atkins <tony at raisingthefloor.org>
To: 	Tirloni, Giovanni <gtirloni at ocadu.ca>
CC: 	architecture at lists.gpii.net Architecture <architecture at lists.gpii.net>



Hi, Giovanni.

Personally I would be happy to have this for every repo and PR.  Even though many of us regularly run "npm outdated" (or "yarn outdated") and test our work with newer libraries, having a report on known bad versions gives us a consistent "trailing edge". By that I mean that if we haven't managed to otherwise update our dependencies when snyk identifies a problem, we have a good reason to take a moment and review.

Anyway, +1 from me.

Cheers,


Tony

On Wed, Apr 5, 2017 at 6:20 PM, Tirloni, Giovanni <gtirloni at ocadu.ca <mailto:gtirloni at ocadu.ca>> wrote:

     Snyk can monitor repositories and test new PRs for vulnerable packages.

     Is there interest in having this tool automatically monitoring our repositories? It's free for open source project.

     https://snyk.io/docs/github

     On 10/29/2015 02:29 PM, Steve Lee wrote:
      > https://snyk.io/
      >
      > Steve Lee
      > OpenDirective http://opendirective.com
      > _______________________________________________
      > Architecture mailing list
      > Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
      > http://lists.gpii.net/mailman/listinfo/architecture <http://lists.gpii.net/mailman/listinfo/architecture>
      >
      >
     _______________________________________________
     Architecture mailing list
     Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
     http://lists.gpii.net/mailman/listinfo/architecture <http://lists.gpii.net/mailman/listinfo/architecture>

More information about the fluid-work mailing list