Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check the R advisory database #37

Merged
merged 5 commits into from
Oct 2, 2024
Merged

Check the R advisory database #37

merged 5 commits into from
Oct 2, 2024

Conversation

wlandau
Copy link
Member

@wlandau wlandau commented Sep 24, 2024

https://github.com/RConsortium/r-advisory-database reports vulnerabilities in R packages. (There's not much there, but R-multiverse itself may increase adoption.)

This PR scans https://github.com/RConsortium/r-advisory-database and records vulnerabilities for the given package version in the issue file. For example, for commonmark 0.2, the JSON issue file would look like this:

{
  "descriptions": {
    "advisories": ["https://github.com/RConsortium/r-advisory-database/blob/main/vulns/commonmark/RSEC-2023-6.yaml", "https://github.com/RConsortium/r-advisory-database/blob/main/vulns/commonmark/RSEC-2023-7.yaml", "https://github.com/RConsortium/r-advisory-database/blob/main/vulns/commonmark/RSEC-2023-8.yaml"]
  },
  "date": ["2024-01-01"],
  "version": ["0.2"],
  "remote_hash": ["54c1637c74e7941fbe9f152df70c0a25f8cd37f6"]
}

This keeps packages with reported security vulnerabilities out of Production. However, such packages would still remain in Community. I think this makes sense because even important packages like graph and jsonlite have had vulnerabilities reported for prior versions.

Overall, I think this is a lightweight and practical way to handle security at the package level (r-multiverse/help#80). From a security and safety perspective, I think the only other things we need for the rollout are user-level security (r-multiverse/help#83) and a solid terms of service document (r-multiverse/help#82, r-multiverse/help#86, r-multiverse/r-multiverse.github.io#25).

FYI @jeroen, @maelle

@wlandau wlandau self-assigned this Sep 24, 2024
shikokuchuo
shikokuchuo approved these changes Sep 29, 2024
View reviewed changes
Copy link
Member

@shikokuchuo shikokuchuo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I've just added a more traditional way of pulling the advisories. Keep our dependencies lean + anticipate and handle potential internet issues.

@wlandau wlandau merged commit 63e2b5d into r-multiverse:main Oct 2, 2024
6 checks passed
@wlandau wlandau deleted the 80 branch October 2, 2024 17:52
@wlandau wlandau mentioned this pull request Oct 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shikokuchuo shikokuchuo shikokuchuo approved these changes

Assignees

@wlandau wlandau

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wlandau @shikokuchuo