Highlight if the updated dependency have known vulnerabilities

[plokhotnyuk]

Please consider adding integration with Dependabot.

[fthomas]

Why?

[plokhotnyuk]

It can speed up bringing of security updates and provide support of Scala in GitHub for wider communities or enterprises: https://github.blog/2019-05-23-building-an-interconnected-community-together

[fthomas]

Do you mean I should extend Dependabot so that it can also create PRs for Scala projects or is there some other integration where scala-steward could better work with Dependabot? If it is the former, I don't see me doing it unless someone pays me to do this. Creating scala-steward has been a great adventure so far and I'm not abandoning it to make GitHub better.

[plokhotnyuk]

Possible Dependabot or GitHub API are opened to query security related info to highlight that in a PRs if they fix known vulnerabilities...

Another option is to use sbt-dependency-check for that.

[fthomas]

Ok, this sounds interesting but it is unlikely I'll be doing this.

[exoego]

I think the goal of this ticket is unclear from title. I suggest it should be Highlight if the updated dependency have known vulnerabilities or something like that. That may attract potential contributors.

[gontard]

Hello @fthomas, would you be interested in a contribution based on GitHub Security Advisory API?

[exoego]

Utilizing that API sounds reasonable to me. It seems that SecurityAdvisory object contains useful information from developer perspective.

[laughedelic]

Relevant item on the GitHub Roadmap: https://github.com/github/roadmap/issues/467

[fthomas]

GitHub's security advisories are now available via a REST API: https://github.blog/changelog/2023-07-28-get-global-security-advisories-via-rest-api/

This should make it easier to integrate it in Scala Steward.