Skip to content

remove ossaudit #475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 16, 2022
Merged

remove ossaudit #475

merged 2 commits into from
Oct 16, 2022

Conversation

@seanieb
Copy link
Contributor

@seanieb seanieb commented Sep 20, 2022

Proposed changes

ossaudit has lots of flase positives. And there's better ways to address security for depenencies within github.

Types of changes

What types of changes does your code introduce?

  • [x ] Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

  • [x ] I have read the guidelines for contributing
  • [x ] All unit tests pass on my local version with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

@seanieb
remove ossaudit - ossaudit has lots of flase positives. And there's b…
b76e466 
…etter ways to address security for depenencies within github.
@ziirish
Copy link
Contributor

ziirish commented Sep 20, 2022

Hello,

Thanks for your PR! I was about to remove ossaudit as well priori making a new release (in order to make sure all our tests are running as expected) but I'm open to any replacement suggestion 🙏

@seanieb
Copy link
Contributor Author

seanieb commented Sep 20, 2022

The project already has Github Security Advisories, but enabling Githubs Dependabot opens up a pull request each time there's a dependency update. This pull requests have the change notes or a link too them, so it's easy to keep an eye on any that are relevant to this project. It the squashes any future updates into that PR.

For the wider security of the project we also use a static analysis like Semgrep, it's easy to setup and there's lot of existing Semgrep rules that we could just apply. But that can wait for separate PR.

@seanieb seanieb marked this pull request as ready for review September 21, 2022 09:39
@HenriBlacksmith
Copy link

HenriBlacksmith commented Oct 3, 2022

Does this one need more approvals to be merged?

@seanieb
Copy link
Contributor Author

seanieb commented Oct 4, 2022

I'm unable to merge it, black formatting seems to be failing too @ziirish

@ziirish ziirish merged commit 1693eee into python-restx:master Oct 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ziirish ziirish ziirish approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seanieb @ziirish @HenriBlacksmith