Contribute security fixes Static Analysis dependencies
Problem to solve
Security vulnerabilities are forms of risk, and we have the tools necessary to detect those risks. We need to be more proactive identifying the risks inherent in the OSS projects we rely upon in groupstatic analysis. Once finding the risks, we should submit fixes to them.
Further details
- go-git may need to be upgraded to keep us from unreachable exit conditions: https://gitlab.com/gitlab-org/gitlab/-/issues/292945
- gosec has a dependency which can result in an infinite loop: #296906
- pmd-apex has several dependencies which need to be updated: #296905
What does success look like, and how can we measure that?
- Reduction of reported vulnerabilities in the SAST and Secret Detection analyzer security dashboards.
Edited by Thomas Woodham