Check vunerabilty on several branches ?
This is not a bug/issue but just to know if there is any recommendation from security team about that.
(Let me know if this is not the right way to ask question to security team)
My project (Leshan) is hosted on github and use maven
(pom.xml) + yarn
(yarn.lock).
In a first time, I was thinking that out of the box dependabot alert was enough to manage vulnerability in my project.
But recently I discovered some limitations with maven and transitive dependencies. (see : #3640 (closed)).
Hopefully with github actions this limitation can be workarounded.
But digging a bit more on this topic, I understand that dependabot alert doesn't support multi branch. (see https://github.com/dependabot/dependabot-core/issues/2159#issuecomment-653085167). (not totally sure of that)
In my project, ideally I need to detected known vulnerabilities for master
(development) and 1.x
(stable) branches.
If dependabot doesn't support multi-branch :
- is there some recommendation from Eclipse Security Team to handle this ?
- Maybe I should move build tool to do that and create a corresponding githubaction/jenkins build ?
- for maven, I could use : https://owasp.org/www-project-dependency-check/ ?
- for yarn 1.x, there is a
yarn audit
command : https://classic.yarnpkg.com/lang/en/docs/cli/audit/
Any opinions ?