Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency tracking #641

Open
vsoch opened this issue Jan 10, 2022 · 5 comments
Open

Dependency tracking #641

vsoch opened this issue Jan 10, 2022 · 5 comments
Labels
question Further information is requested

Comments

@vsoch
Copy link
Member

vsoch commented Jan 10, 2022

This issue is opened on behalf of @mtbc ! The question is if we should have some extended way to keep track of dependencies for our workflows, e.g., the Github actions we use.
@vsoch vsoch added the question Further information is requested label Jan 10, 2022
@mtbc
Copy link
Contributor

mtbc commented Jan 11, 2022

Thanks! Thinking of more than just workflows, could be Gemfile, etc. too (what else?): though, also, to avoid maintenance headache, could simply be a note of where to look for dependencies and how to find them in those places, e.g., "look for uses: in .github/workflows/"!

@vsoch
Copy link
Member Author

vsoch commented Jan 11, 2022
edited
Loading

I would argue that Gemfile, requirements.txt, are doing exactly that job, and people know to look for them. It seems more error prone to reproduce that information somewhere else and then need to update two places, and probably forget to do one so the second place is wrong.

I guess as a developer I know to look for these files, but if you think it would be helpful you can write a dependencies section and say "to look for Python dependencies, see X. for ruby, see Y, and workflows, see Z."

My impression is that we have pretty good docs in the README and the main problem is that people don't read them, lol.

@mtbc
Copy link
Contributor

mtbc commented Jan 11, 2022

Aha. I keep being surprised by where I find dependencies but you may be right that, for anyone who actually needs to check them, they already know where to look!

@vsoch
Copy link
Member Author

vsoch commented Apr 2, 2022

@mtbc I'm actually working on software for this (just stumbled on the issue!) check out https://github.com/vsoch/citelang. I haven't added support for gem deps yet, but definitely could if there are suitable APIs available. But indeed it supports GitHub and that sort of thing - here is a current png for our org, first just from the GitHub dependency graph (up to a certain amount of credit / cutoff for just one level)!

github-USRSE-usrse github-io-level-1

And here is where I made the credit cutoff SUPER tiny so we can go in multiple levels of dependencies! Yes, a monster, lol.

github-USRSE-usrse github io

Just imagine if there were no cutoff...

I do have a basic set of GitHub actions so far, so if we ever wanted an automated graph or even listing I can make that happen.

@mtbc
Copy link
Contributor

mtbc commented Apr 12, 2022

That is really neat, thank you. The synergy between the secvuln aspect and the due credit aspects had not occurred to me. Of course, for the former, even a simple listing is probably good, could even be grepped or someday fed into an automated checker.

Now I wonder how to graphically show that dependencies themselves share a dependency. Let's not open that can of worms!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vsoch @mtbc