From d3ca64cc31479e18ecefbee2e2942086dc8b66b2 Mon Sep 17 00:00:00 2001 From: Joyce Date: Wed, 26 Apr 2023 17:02:53 -0300 Subject: [PATCH 1/4] feat: add trust dependabot question to FAQ Signed-off-by: Joyce --- docs/faq.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index 0555d838031..fd53a8fe3df 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -14,6 +14,7 @@ This page answers frequently asked questions about Scorecard, including its purp - [Pinned-Dependencies: Will Scorecard detect unpinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-scorecard-detect-unpinned-dependencies-in-tests-with-dockerfiles) - [Pinned-Dependencies: Can I use version pinning instead of hash pinning?](#pinned-dependencies-can-i-use-version-pinning-instead-of-hash-pinning) - [Signed-Releases: Why sign releases?](#signed-releases-why-sign-releases) + - [Dependency-Update-Tool: Why should I trust recommended updates are safe?](#dependency-Update-Tool-why-should-i-trust-recommended-updates-are-safe) --- @@ -80,3 +81,10 @@ Currently, the main benefit of [signed releases](checks.md#signed-releases) is t However, there are already moves to make it even more relevant. For example, the OpenSSF is working on [implementing signature verification for NPM packages](https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/) which would allow a consumer to automatically verify if the package they are downloading was generated through a reliable builder and if it is correctly signed. Signing releases already has some relevance and it will soon offer even more security benefits for both consumers and maintainers. + +### Dependency-Update-Tool: Why should I trust recommended updates are safe? + +Both dependabot and renovatebot won't update your dependencies immediately. They have some precautions to make sure a release is reasonable / won't break your build (see [dependabot documentation](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores)). + +You can either configure the tools to only update your dependencies once a week or once a month. This way, if a malicious version is released, it's very likely that it'll be reported and removed before it even gets suggested to you. Besides, there's also the benefit that it gives you the chance to validate the new release before merging if you want to. + From bb81334cc002e0a5fd1498081aef2e7e38cf8f7d Mon Sep 17 00:00:00 2001 From: Joyce Date: Wed, 26 Apr 2023 17:03:50 -0300 Subject: [PATCH 2/4] fix: update name to be more specific Signed-off-by: Joyce --- docs/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.md b/docs/faq.md index fd53a8fe3df..7bd2e1ae991 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -84,7 +84,7 @@ Signing releases already has some relevance and it will soon offer even more sec ### Dependency-Update-Tool: Why should I trust recommended updates are safe? -Both dependabot and renovatebot won't update your dependencies immediately. They have some precautions to make sure a release is reasonable / won't break your build (see [dependabot documentation](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores)). +Both dependabot and renovatebot won't update your dependencies immediately. They have some precautions to make sure a release is reasonable / won't break your build (see [dependabot compatibility documentation](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores)). You can either configure the tools to only update your dependencies once a week or once a month. This way, if a malicious version is released, it's very likely that it'll be reported and removed before it even gets suggested to you. Besides, there's also the benefit that it gives you the chance to validate the new release before merging if you want to. From b0f976656a1891b33484f09cff13893bf3319145 Mon Sep 17 00:00:00 2001 From: Joyce Date: Wed, 26 Apr 2023 17:11:12 -0300 Subject: [PATCH 3/4] Update faq.md Signed-off-by: Joyce --- docs/faq.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index 7bd2e1ae991..72527b9c160 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -88,3 +88,5 @@ Both dependabot and renovatebot won't update your dependencies immediately. They You can either configure the tools to only update your dependencies once a week or once a month. This way, if a malicious version is released, it's very likely that it'll be reported and removed before it even gets suggested to you. Besides, there's also the benefit that it gives you the chance to validate the new release before merging if you want to. +Another configuration possibility that would limit even more the release updates only to trusted releases is enabling to only perform Security Updates, which means you only be notified about releases that fixes a previous vulnerability you might be exposed to. + From f4637f0bd34f8be89cb5a4d5177387b989a4e6ef Mon Sep 17 00:00:00 2001 From: Joyce Date: Wed, 26 Apr 2023 17:19:44 -0300 Subject: [PATCH 4/4] Fix: keep FAQ in ascending order Signed-off-by: Joyce --- docs/faq.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 72527b9c160..0b461462c2c 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -10,11 +10,11 @@ This page answers frequently asked questions about Scorecard, including its purp ## Check-Specific Questions - [Binary-Artifacts: Can I allowlist testing artifacts?](#binary-artifacts-can-i-allowlist-testing-artifacts) - [Code-Review: Can it ignore bot commits?](#code-review-can-it-ignore-bot-commits) + - [Dependency-Update-Tool: Why should I trust recommended updates are safe?](#dependency-Update-Tool-why-should-i-trust-recommended-updates-are-safe) - [Fuzzing: Does Scorecard accept custom fuzzers?](#fuzzing-does-scorecard-accept-custom-fuzzers) - [Pinned-Dependencies: Will Scorecard detect unpinned dependencies in tests with Dockerfiles?](#pinned-dependencies-will-scorecard-detect-unpinned-dependencies-in-tests-with-dockerfiles) - [Pinned-Dependencies: Can I use version pinning instead of hash pinning?](#pinned-dependencies-can-i-use-version-pinning-instead-of-hash-pinning) - [Signed-Releases: Why sign releases?](#signed-releases-why-sign-releases) - - [Dependency-Update-Tool: Why should I trust recommended updates are safe?](#dependency-Update-Tool-why-should-i-trust-recommended-updates-are-safe) --- @@ -57,6 +57,14 @@ This is quite a complex question. Right now, there is no way to do that. Here ar However, this is being discussed by the Scorecard Team ([#2302](https://github.com/ossf/scorecard/issues/2302)). +### Dependency-Update-Tool: Why should I trust recommended updates are safe? + +Both dependabot and renovatebot won't update your dependencies immediately. They have some precautions to make sure a release is reasonable / won't break your build (see [dependabot compatibility documentation](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores)). + +You can either configure the tools to only update your dependencies once a week or once a month. This way, if a malicious version is released, it's very likely that it'll be reported and removed before it even gets suggested to you. Besides, there's also the benefit that it gives you the chance to validate the new release before merging if you want to. + +Another configuration possibility that would limit even more the release updates only to trusted releases is enabling to only perform Security Updates, which means you only be notified about releases that fixes a previous vulnerability you might be exposed to. + ### Fuzzing: Does Scorecard accept custom fuzzers? Currently only for projects written in Go. @@ -82,11 +90,3 @@ However, there are already moves to make it even more relevant. For example, the Signing releases already has some relevance and it will soon offer even more security benefits for both consumers and maintainers. -### Dependency-Update-Tool: Why should I trust recommended updates are safe? - -Both dependabot and renovatebot won't update your dependencies immediately. They have some precautions to make sure a release is reasonable / won't break your build (see [dependabot compatibility documentation](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores)). - -You can either configure the tools to only update your dependencies once a week or once a month. This way, if a malicious version is released, it's very likely that it'll be reported and removed before it even gets suggested to you. Besides, there's also the benefit that it gives you the chance to validate the new release before merging if you want to. - -Another configuration possibility that would limit even more the release updates only to trusted releases is enabling to only perform Security Updates, which means you only be notified about releases that fixes a previous vulnerability you might be exposed to. -