snyk-fix-0593ddb7 branches?

[Jeffrey Walton]

Hi Everyone/Kevin,

When I look at Git branches I see a lot of:

 remotes/origin/snyk-fix-0593ddb777e3e292678762e9ebe28192
 remotes/origin/snyk-fix-195eeef39da8687a97bc024e85c683cc
 remotes/origin/snyk-fix-55d70f0f909a41319688906fd341a962
 remotes/origin/snyk-fix-7f760d7d07156fb383708972045f5b2a
 remotes/origin/snyk-fix-82a8dd6792accf88a9445be56c0d237f
 remotes/origin/snyk-fix-c7be58d94ea897ae68a51169ba19ba37

 ...

I know Snyk is a code quality service.

But what are the branches with the numbers?

[Kevin W. Wall]

Snyk is basically a Software Compositional Analysis tool that checks direct and transitive dependencies.

Those branches were for PRs that the Snyk bot submitted to fix outdated dependencies. I think the last part is just a random hash that they are using to ensure uniqueness.

IMO, we should remove these branches as the PRs that were associated with them have either been rejected or merged. (I have removed some of them before.)

Matt: Do you have any issues with me deleting these branches? I do think they are annoying, if not confusing.

-kevin

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/ca00e2e2-41da-4ff2-a0d1-bd59eaa2d001n%40owasp.org.

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

[Jeffrey Walton]

On Thu, Jul 21, 2022 at 10:42 AM Kevin W. Wall <kevin....@gmail.com> wrote:
>
> Snyk is basically a Software Compositional Analysis tool that checks direct and transitive dependencies.
>
> Those branches were for PRs that the Snyk bot submitted to fix outdated dependencies. I think the last part is just a random hash that they are using to ensure uniqueness.
>
> IMO, we should remove these branches as the PRs that were associated with them have either been rejected or merged. (I have removed some of them before.)
>
> Matt: Do you have any issues with me deleting these branches? I do think they are annoying, if not confusing.

The thing that caught my eye was the fact that Snyk seems to be
working directly from ESAPI's GitHub. If that is the case, I don't
think it is wise to give the service write access to your sources like
that.

Instead, I think Snyk should work from a clone and make a real pull
request from a disjointed copy of the ESAPI sources. That may mean
running another fork of ESAPI just to keep things separated. (In fact
we do this in other projects. Nothing has write access to the sources
except the maintainers. Instead, CI/CD testing happens on my testing
forks).

The reason I think that is, I don't trust a third party to handle
ESAPI source code properly. If Snyk gets hacked, then the attacker can
use it as a springboard into ESAPI. And Snyk's Terms of Service
probably has the indemnification clauses, which is an alert that it
may happen. If Snyk's lawyers believe it could happen, there's no
reason for us to believe otherwise.

Jeff