Monitor release branches for new security vulnerabilities

[jmbowman]

The main development branches of most/all Open edX repositories currently get Dependabot warnings from GitHub when a security vulnerability is announced that impacts the version in use of any of their dependencies. But this feature currently can't be extended to additional branches, such as the named release branches that we support for 6+ months each; even Microsoft (which now owns GitHub) wants this feature but can't currently do it. So we'll need to use a different security vulnerability scanner for release branches. An incomplete list of candidates:

• Bolt - free, but only seems to update results on new code pushes? Documentation
• Snyk - seems very full featured, free open source plan has a cap of 200 "tests" per month
• Probably many others

[mariajgrimaldi]

Thanks for the issue! I'll tag our security patcher @magajh. Can we contact the security WG so they can chime in the conversation?

[magajh]

Using an external tool to monitor security vulnerabilities seems to be the best alternative to keep all dependencies updated with the latest security patches. I'll look into and compare the different security vulnerability scanners so we can make a better decision on which one would be the best fit for us.

I'm going to self-assign this to keep things moving. Thanks @jmbowman @mariajgrimaldi!

[magajh]

Original conversation:
On monitoring release branches for new security vulnerabilities

[terra-conq]

I have worked extensively in SCA and SAST can help in this

[mariajgrimaldi]

Hi @terra-conq, thank you so much! So you can help, you can reach out to the security WG on Slack -- or how you prefer: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3624108053/Security+Working+Group

[mariajgrimaldi]

Hi, @magajh. Could you provide an update on this issue? I'm not sure whether this was done or it's still a work in progress.