On Thu, Jul 21, 2022 at 10:42 AM Kevin W. Wall <
kevin....@gmail.com> wrote:
>
> Snyk is basically a Software Compositional Analysis tool that checks direct and transitive dependencies.
>
> Those branches were for PRs that the Snyk bot submitted to fix outdated dependencies. I think the last part is just a random hash that they are using to ensure uniqueness.
>
> IMO, we should remove these branches as the PRs that were associated with them have either been rejected or merged. (I have removed some of them before.)
>
> Matt: Do you have any issues with me deleting these branches? I do think they are annoying, if not confusing.
The thing that caught my eye was the fact that Snyk seems to be
working directly from ESAPI's GitHub. If that is the case, I don't
think it is wise to give the service write access to your sources like
that.
Instead, I think Snyk should work from a clone and make a real pull
request from a disjointed copy of the ESAPI sources. That may mean
running another fork of ESAPI just to keep things separated. (In fact
we do this in other projects. Nothing has write access to the sources
except the maintainers. Instead, CI/CD testing happens on my testing
forks).
The reason I think that is, I don't trust a third party to handle
ESAPI source code properly. If Snyk gets hacked, then the attacker can
use it as a springboard into ESAPI. And Snyk's Terms of Service
probably has the indemnification clauses, which is an alert that it
may happen. If Snyk's lawyers believe it could happen, there's no
reason for us to believe otherwise.
Jeff