java-sdk
java-sdk copied to clipboard
dapr
Add dependabot and fix High and Medium vulnerabilities
Expected Behavior
Dependabot scan should report zero High or Medium vulnerabilities in SDK's dependencies.
Actual Behavior
No dependabot scan.
Steps to Reproduce the Problem
Run Dependabot scan
Potential dependabot.yml file:
version: 2
updates:
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 5
- package-ecosystem: "maven"
directory: "/sdk"
schedule:
interval: "daily"
open-pull-requests-limit: 5
- package-ecosystem: "maven"
directory: "/sdk-actors"
schedule:
interval: "daily"
open-pull-requests-limit: 5
- package-ecosystem: "maven"
directory: "/sdk-autogen"
schedule:
interval: "daily"
open-pull-requests-limit: 5
- package-ecosystem: "maven"
directory: "/sdk-springboot"
schedule:
interval: "daily"
open-pull-requests-limit: 5
- package-ecosystem: "maven"
directory: "/sdk-tests"
schedule:
interval: "daily"
open-pull-requests-limit: 5
The dependabot yaml changes will be only applied module by module independently. See here.
Need to specify the directory where pom.xml is located for each module.
This will cause build failures if the target-branch is master and if the updates are merged one by one to master branch.
We might possibly use a separate develop branch with no build actions but as a target-branch for dependabot updates, merge all the corresponding updates to versions in all modules, then manually create a PR from develop to master branch once all the security updates for related dependencies in all modules are done. @artursouza I can probably continue to look at this if that is the way we want to move forward.
Let's use the branch idea that you proposed (maybe calling it dependabot) and have a triggered workflow on that branch where DaprBot will automatically create a PR if unit tests passes.
@mukundansundar can we make this P1 and add it to the Java SDK 1.2 milestone?
