[CKAN-Security] Vulnerabilities due to outdated sofware.
David Read
david.read at hackneyworkshop.com
Thu Oct 12 14:07:01 UTC 2017
FYI, some more info on snyk.io from a colleague:
https://github.com/alphagov/gds-way/pull/78/files
Dave
On 2 October 2017 at 14:08, Adrià Mercader <adria.mercader at okfn.org> wrote:
> At first sight there doesn't seem to be anything too critical here so we can
> plan this a bit. I have very limited time available to work on CKAN core
> stuff, which I'd like to focus as much as possible on the Flask migration so
> it'd great if someone could help here (the grant that is paying for my time
> is ending soon, but I'll update on that when I have more details). Let's
> discuss on tomorrow's meeting and see what we can do.
>
> This is a tricky one for published releases, as in theory we don't include
> changes in requirements on patch releases (on master we should upgrade all
> of these for sure).
> Of course if a dependency presents a serious security issue we should
> revisit this somehow. JS are simpler because we can just repackage them in
> the source code but upgrading the python reqs would complicate the patch
> install instructions which we aim to keep ultra simple to encourage people
> to update so I'd double check if it's worth it before doing this.
>
> On Pylons, Tyler started a PR for updating to the latest version that I
> think is worth getting into master as it will be a while before we drop it
> completely: https://github.com/ckan/ckan/pull/3382
>
>
>
>
> On 29 September 2017 at 11:03, David Read <david.read at hackneyworkshop.com>
> wrote:
>>
>> Interesting to receive this. Sadly, bad timing straight after we did
>> the last one. I for one am all out of time at the moment to work on
>> this, sadly, so hopefully someone can step up.
>>
>> So they read through the changelogs for all the deps and highlighted
>> anything that looked like a vulnerability. My experience suggests that
>> dependencies are rarely fully used, so the vulnerabilities tend not to
>> affect the dependee. But you just can't be sure without raking through
>> the details :( Simplest thing is to be on the latest version.
>>
>> No doubt someone should see if we can upgrade all of these. I bet
>> there will be some difficulties though and that will raise the
>> questions.
>>
>> Do we look to update deps on just CKAN 2.7? or 2.4, 2.5 and 2.6 too?
>>
>> As a general thing, I've heard Snyk mentioned a few times, which I
>> believe we can add to our Travis for free, that is supposed to look at
>> dependencies and give you levels of risk.
>>
>> Dave
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list