Hi everyone!
As part of the NSF project, the squad is currently working on automating our dependency vulnerability checking. Currently, the Security Squad receives the reports, triages them and alerts the community when a critical update is needed.
As we look toward the long-term health of the project, we need the community’s input: Should we keep the current model, or move to publishing the reports Community-Wide?
Add your thoughts below.
Hey Beryl,
For the dependency vulnerability dashboard, I’d lean towards making it community-wide.
We already run vulnerability checks on PRs to prevent introducing vulnerable dependencies in the first place, and the reports are available as artifacts. The same workflow runs on commits as well. On top of that, Dependabot is already configured, so if an existing dependency becomes vulnerable, it’ll raise a PR anyway.
So effectively, the information we’re showing on the dashboard is already public, we’re just presenting it in a more accessible way. The tooling we use (OWASP dependency-check) is public, our source code is public, and anyone interested can reproduce these results with minimal effort.
Also worth noting that the dashboard reflects development versions of modules, not specific releases.
If anything, having the dashboard public makes it a useful resource for implementers to keep an eye on things.
Overall, this feels more like a prevention and visibility mechanism rather than something sensitive, so I don’t see a strong reason to keep it private.
The dashboard is currently available at: OpenMRS Dependency Vulnerability Report
