Page MenuHomePhabricator

Move to Toolforge
Closed, ResolvedPublic


I see no reason that couldn't be deployed as a Toolforge tool. It would be much simpler to keep up to date instead of giving it its own VM and needing to configure Apache, systemd, etc.

Tagging Security-Team for awareness because they're the people who most depend on this. And Continuous-Integration-Config and LibUp because those are the places that specify the URL.

Event Timeline can be used to create a redirect from wmcloud to toolforge in an attempt to preserve legacy URLs, but that may be less useful for a service that is functionally just a POST handler.

sbassett added a project: SecTeam-Processed.
sbassett subscribed.

Hey @Legoktm - thanks for the tag. To be honest, we don't do a lot with these reports at the moment. We need to re-evaluate that process/responsibilities as a team for sure. So the move to toolforge is likely not very consequential for us. Where this might be more relevant is within the appsec pipeline we're building out for Gitlab right now. I'd imagine we'd want to leverage composer-security-checker to whatever SensioLabs provides these days as one of the tools we trigger during a CI pipeline for any PHP code.

My understanding is that composer-security-checker is the same functionality as except I audited all the dependencies of my tool (when I wrote it at least) and it's in PHP and not in golang. Oh, and the go version also supports colored ANSI output, junit and markdown outputs.

Anyways, the effort to keep this running should be very minimal, I haven't had to touch it in 2+ years.

Change 820765 had a related patch set uploaded (by Legoktm; author: Legoktm):

[integration/config@master] Update domain for php-security-checker

Change 820766 had a related patch set uploaded (by Legoktm; author: Legoktm):

[labs/libraryupgrader@master] Update domain for php-security-checker

Change 820766 merged by jenkins-bot:

[labs/libraryupgrader@master] Update domain for php-security-checker

Legoktm added a subscriber: Jdforrester-WMF.

Set up the new Toolforge tool and moved over LibUp. Need to set up the redirect and @Jdforrester-WMF is going to drive the remainder of the CI part (thanks!)

Mentioned in SAL (#wikimedia-cloud) [2022-08-05T15:40:00Z] <legoktm> New tool created and set up: T296967

Change 820775 had a related patch set uploaded (by Jforrester; author: Jforrester):

[integration/config@master] jjb: [php-composer-security-docker] Update image for new domain

Change 820765 merged by jenkins-bot:

[integration/config@master] dockerfiles: [composer-security-check] Update service domain

Mentioned in SAL (#wikimedia-releng) [2022-08-05T16:02:10Z] <James_F> Docker: Building and publishing composer-security-check:1.1.1 for T296967

New CI image built and published, and Jenkins job re-configured. Anything else to do?

Change 820775 merged by jenkins-bot:

[integration/config@master] jjb: [php-composer-security-docker] Update image for new domain

Mentioned in SAL (#wikimedia-cloud) [2022-08-08T18:12:13Z] <legoktm> deleting security-checker1 instance, now on Toolforge: T296967