Re: [uk-wg] OpenChain Webinar Today: Software and Network Security Special 06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST
Thanks, Sami – that's helpful!
From: main@... <main@...>
On Behalf Of Sami Atabani
Sorry for the very late response on this.
This is a very good question and we have a separate project where we are requiring our engineering teams to mirror what they need to use into an Arm repository (we are using Artifactory) to ensure that any build is not accessing external dependencies. The aim is to run automated scanning of our repository then trigger any alerts should a new vulnerability is identified.
Happy to discuss further if that helps.
On Behalf Of Steve Kilbane via lists.openchainproject.org
In yesterday's webinar, I asked a question about how ARM approached scanning when there are many dynamic dependencies; Sami gave _an_ answer, but I think I wasn't clear, and Sami was answering a different interpretation from the one I intended. I did attempt to clarify after the call on Slack, but Shane suggested posting here. Here's what I put on Slack, and I can expand if it turns out that I'm still muddying the waters…
"Thanks for the response Sami. I think I wasn't clear in my question during the call, but I didn't want to take up extra time, and your response was interesting anyway. :-) In an attempt to rephrase: It's one thing to say "open source must be scanned as it's brought into the org" if you're talking about the open source developers want to use, but with Node.JS, pulling in a single package that the developer wants to use might also bring in hundreds of additional, transitive dependencies that the developer doesn't really care about (React being a classic example). A minor change to the application might change those hundreds of dependencies to a different set of hundreds of dependencies. Do all of those get scanned, too? Are you blocking the developers from using the packages until the scanning is done, or is there a continual background queue of inbound open source that gets scanned asynchronously from the developers' usage?"
On Behalf Of Shane Coughlan
Join us for a discussion around the software and network security topics you should keep front of mind during these unusual times. All welcome:
06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST
OpenChain General Manager
Book a meeting:
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.