Elevator Pitch
I bet if you have your source code hosted on GitHub, you may have Dependabot activated and tell you when there is a vulnerability. However, do you know when will you get alerts? Are there any alternatives to Dependabot that you may also consider?
Description
Background:
For most of the projects that are hosted on GitHub, it is very common to use Dependabot, which has become a GitHub-native app, for dependency vulnerability alerts. However, many of us have not put much thought into when we will get those alerts and is it sufficient to protect our project. If that is not enough, what are our alternatives? Are there more databases out there that provide such vulnerability information and any other tools that we can use?
Goal:
By the end of the talk, the audience will be educated about how vulnerability reports are handled and more attention will be put on dependency vulnerabilities. The audience will also know about other vulnerability databases and scanning tools available and will be able to make a suitable choice to use for their projects. By increasing awareness of supply chain security as a community, we will be able to provide safer code and software for the world.
Target audiences:
Maintainers, software engineers and anyone who is involved in any open-source projects, either on the contributors’ end or on the users’ end.
Outline (40 mins):
- Introduction to the importance of supply chain security and dependency vulnerabilities (5 mins)
- What is Dependabot and where is the vulnerabilities information coming from (10 mins)
- Are there more databases out there and how the information is submitted (10 mins)
- Introduction of other scanning tools of other databases (eg. OSV scanner and OSV) (5 mins)
- What is the best practice when carrying out vulnerability scanning (5 mins)
- Conclusion and Q&A (5 mins)