Use Gitlab Security Pipeline for ipoid
Open, In Progress, MediumPublic8 Estimated Story Points
Actions

Assigned To

Authored By

	Mstyles
	Jun 6 2023, 3:37 PM

Description

Use Gitlab Security templates for ipoid. Planning to add npm audit template and any others that might apply.

Details

Due Date: Fri, Dec 29, 6:00 AM

	Reference	Source Branch	Dest Branch	Author	Title
	repos/mediawiki/services/ipoid!8	use-security-templates	main	mstyles	Draft: Update .gitlab-ci.yml file - use nodejs osv security template

Customize query in GitLab

Related Objects
Search...

Status	Assigned	Task
Resolved	kostajh	T337714 Migrate mediawiki/services/ipoid to GitLab
Open	sbassett	T342177 [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work
In Progress	mmartorana	T338238 Use Gitlab Security Pipeline for ipoid

Event Timeline

Mstyles claimed this task.Jun 6 2023, 3:37 PM

Mstyles created this task.

Mstyles moved this task from Incoming to In Progress on the Security-Team board.Jun 6 2023, 3:39 PM

Just FYI, we need to address some issues with the Gitlab-Application-Security-Pipeline, see: T338034. So there's a chance that some of the security includes might not be completely operational at this point. We hope to have a new, stable version of the security includes tagged soon.

hashar removed a subscriber: hashar.Jun 8 2023, 2:11 PM

@kostajh I created a merge request, however since there are vulnerabilities in the project, it won't be able to be merged at this point. The security team can change the security templates so that the security template doesn't cause the pipeline to stop or the project settings can be changed to allow merges without the pipeline passing. The preferred route would be to update the project so that the dependencies are no longer vulnerable. Let me know what you think, the security templates are still in the early phases of being used, so feedback is very welcome.

Pppery removed a project: Projects-Cleanup.Jun 13 2023, 8:10 PM

mstyles updated https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/8

Update .gitlab-ci.yml file - use nodejs osv security template

In T338238#8929361, @Mstyles wrote:

The preferred route would be to update the project so that the dependencies are no longer vulnerable.

I agree with that. Unfortunately, it seems like we're blocked on T309772: npm audit reports several security issues with Service runner. So I am going to mark this task as stalled, and if/when we fix T309772, we can reopen the MR.

kharlan closed https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/8

Draft: Update .gitlab-ci.yml file - use nodejs osv security template

@kostajh alternatively we can continue to use the nodejs osv security template and allow it to fail until T309772 is fixed. I think if we don't use the security template now, it's unlikely to be added lately. It would just be a manual process to skip over the nodejs osv security template until the final fix.

In T338238#8975051, @Mstyles wrote:

@kostajh alternatively we can continue to use the nodejs osv security template and allow it to fail until T309772 is fixed. I think if we don't use the security template now, it's unlikely to be added lately. It would just be a manual process to skip over the nodejs osv security template until the final fix.

In my experience, if a CI job doesn't block a build on failure, eventually people stop looking at it, and then it's just adding to build times without providing value for that additional time.

If you, @Tchanders or @STran think that it is useful to add it as a non-blocking job, knowing that it is going to fail until we fix T309772: npm audit reports several security issues with Service runner, I don't have an objection to that.