usrse.github.io icon indicating copy to clipboard operation
usrse.github.io copied to clipboard

Published 20 hours ago verified publisher icon USRSE

Dependency tracking

Open vsoch opened this issue 3 years ago • 5 comments

This issue is opened on behalf of @mtbc ! The question is if we should have some extended way to keep track of dependencies for our workflows, e.g., the Github actions we use.

vsoch avatar Jan 10 '22 22:01 vsoch

Thanks! Thinking of more than just workflows, could be Gemfile, etc. too (what else?): though, also, to avoid maintenance headache, could simply be a note of where to look for dependencies and how to find them in those places, e.g., "look for uses: in .github/workflows/"!

mtbc avatar Jan 11 '22 18:01 mtbc

I would argue that Gemfile, requirements.txt, are doing exactly that job, and people know to look for them. It seems more error prone to reproduce that information somewhere else and then need to update two places, and probably forget to do one so the second place is wrong.

I guess as a developer I know to look for these files, but if you think it would be helpful you can write a dependencies section and say "to look for Python dependencies, see X. for ruby, see Y, and workflows, see Z."

My impression is that we have pretty good docs in the README and the main problem is that people don't read them, lol.

vsoch avatar Jan 11 '22 18:01 vsoch

Aha. I keep being surprised by where I find dependencies but you may be right that, for anyone who actually needs to check them, they already know where to look!

mtbc avatar Jan 11 '22 18:01 mtbc

@mtbc I'm actually working on software for this (just stumbled on the issue!) check out https://github.com/vsoch/citelang. I haven't added support for gem deps yet, but definitely could if there are suitable APIs available. But indeed it supports GitHub and that sort of thing - here is a current png for our org, first just from the GitHub dependency graph (up to a certain amount of credit / cutoff for just one level)!

github-USRSE-usrse github-io-level-1

And here is where I made the credit cutoff SUPER tiny so we can go in multiple levels of dependencies! Yes, a monster, lol.

github-USRSE-usrse github io

Just imagine if there were no cutoff...

I do have a basic set of GitHub actions so far, so if we ever wanted an automated graph or even listing I can make that happen.

vsoch avatar Apr 02 '22 03:04 vsoch

That is really neat, thank you. The synergy between the secvuln aspect and the due credit aspects had not occurred to me. Of course, for the former, even a simple listing is probably good, could even be grepped or someday fed into an automated checker.

Now I wonder how to graphically show that dependencies themselves share a dependency. Let's not open that can of worms!

mtbc avatar Apr 12 '22 11:04 mtbc