Hi all,
I’d like to better understand how dependency upgrades are currently
managed in Solr.
I noticed that Jan runs a custom Renovate Bot [1] which opens PRs when
upgrades are detected. I have a few questions about the overall process:
- How are vulnerable dependencies handled?
- Are JIRA issues created automatically for such cases?
- Are transitive dependencies also monitored and updated?
I’m more familiar with the Dependabot ecosystem (GitHub Security Alerts
+ automated PRs), but I’m happy to work with the existing setup,
whichever tooling the project prefers.
My goal is to help ensure the following:
1. A JIRA issue is created whenever a vulnerability is detected in the
dependencies of any 9.x release. GitHub uses a submitted Dependency
Graph to generate alerts, but SBOMs could be a more universal data source.
2. A PR is opened for the affected dependency to test if it can be
upgraded automatically to a non-vulnerable version.
3. A PR is also created for a VEX file, indicating that the
vulnerability is `in_triage` and pointing to the JIRA issue. This
provisional VEX entry could be published right away, or I can follow up
with a detailed evaluation. Once VEX tooling is in place, the PR will
contain enough context to help maintainers assess the issue easily.
Looking forward to hearing your thoughts!
Best,
Piotr
References:
[1] https://github.com/solrbot/renovate-github-action
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
For additional commands, e-mail: dev-h...@solr.apache.org
