Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / GitHub Checkout / 11 Dec 2020
GitHub / GitHub Checkout / 11 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Helps reviewers and contributors understand dependency changes in every PR - GitHub Checkout

Description

Show Notes

Dependency Review is a new GitHub Advanced Security feature that allows you to view a “rich diff” of what has changed in your dependency manifest file while reviewing a pull request. With Dependency Review, you can easily see any new, changed or removed dependency, including their age, license information, and vulnerability information.

In this video, Maya Kaczorowski and Sasha Rosenbaum walk us through the details of what the feature can do for you, and show a quick demo of the feature.

5:10 - demo: working with Dependency Review

Dependency Review docs:
https://github.co/dependency-review

Maya Kaczorowski:
GitHub - https://github.com/mayakacz
Twitter - https://twitter.com/MayaKaczorowski

Sasha Rosenbaum:
GitHub - https://github.com/DivineOps
Twitter - https://twitter.com/DivineOps

Presented by

For more from GitHub Universe 2020, visit https://githubuniverse.com

As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub

Thanks!

Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github

About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com

A

Hi and welcome to github checkout I am sasha rosenbaum and my guest today is mayaka zarkovsky maya. Would you like to introduce yourself.

B

Yeah thanks for having me, I'm maya, I'm a product manager here at github, working on software supply chain, security.

A

Nice, and so the feature we're talking about today- is dependency review, so tell us a little bit about what dependency review really is.

B

Sure so, when you're introducing new dependencies into your environment as part of a pull request so to a change to a manifest file or a lock file dependency review lets you see what the changes that you're making to those dependencies are. So you can better understand whether or not you want to merge that pull request.

A

I see so we already have depend about uh for reviewing your supply chain dependencies. How is that different.

B

Dependable sends you an alert after the fact, so after you've merged a dependency that it that has a depend vulnerability. What sends you an alert dependency review, tells you before you've actually merged in that dependency, so you can choose to to never introduce that vulnerability to begin with dependent bot. I want to point out also sends you a pr so after the fact that it does send you pr, independent will also send you an alert if there's a new vulnerability.

B

So if you're, if you're, if your dependencies don't change, you still need to pen a bot to help you keep your existing dependencies up to date.

A

I see so I kind of need them both. Certainly if I have dependency review enabled and I'm looking at a pull request. What should I be looking for.

B

You can see lots of information about the the what I would think of as the risk of your dependency, so you can see what dependencies you're, adding modifying or removing and for each of those how old it is. If it's introducing any new vulnerabilities, how many dependents it has and the license that it's using and that information together helps you determine whether or not you want to have that in your environment, because you might have restrictions in your environment around some of those, some of those some of that metadata.

B

Some of those things you want to keep keeping score in your environment or you might not want to to take a dependency on something that you don't know where it comes from, and so better understanding a little bit more about that dependency. Helps you decide whether or not it should be in your environment.

A

I see so it would. There ever be a use case where I would choose to merge a dependency if it has a known vulnerability.

B

I mean I think yes, I hate saying that as a security person, but yes, sometimes a patch isn't available. So if you're on the latest version- and the latest version is vulnerable, that's probably still the best version for you to be using again. Assuming you need to be using that dependency.

B

Another situation might be that you're. You know making lots of small changes, which is a good, a good principle in general in code development. So if you are making a small change to do a minor upgrade and then you know testing things out and then you plan on keep upgrading. That's also a good reason to upgrade to a vulnerable version, to kind of get out of your current state and into a better state.

A

Interesting, some kind of like might choose to accept the risk if the next state is still better than the current state right right.

B

Or if or if a vulnerability, if a patch fixes a critical vulnerability, and you only have a low vulnerability left right, I still won't love it. You know please patch all the way, but it's a much better state already.

A

Right, I so with dependency review. uh Is it just me who is going to be able to view the vulnerabilities or is that other people on my team as well? Anybody.

B

With read, access to your repo can see dependency review, so they can see information about the changes that you're making in a pr. It's really important to note here that they're not seeing vulnerability information after the fact so they're not seeing what you did introduce in your environment. It's a static moment in time. It doesn't necessarily apply to your current environment.

B

um It doesn't it doesn't mean that that's uh that you're you're still affected by that that vulnerability. It's really just at that moment in time. What do they need as a reviewer to be able to provide the best information and the best decision they can for for your team.

A

I see so if I wanted to go and enable this today, how would I enable dependency review.

B

You don't really need to so. If you're already using a dependency graph dependency review, just works dependency graph is enabled on all public repos by default, and actually you can't turn it off, because that's how we keep track of who's, relying on what and for private repos you can enable dependency graph, and once you enable dependency graph dependency review, just works.

A

That's very cool and again and available in public and private repos, which is awesome. Can I use dependency review to see vulnerability information for all of my dependencies.

B

You can use dependency review for the ecosystems that depends. Dependency graph supports so there's six ecosystems that we currently support and those will automatically show that information there.

A

I see so all of this sounds really really cool, and would you like to show us what it actually I.

B

Would love to show you what it looks like all right?

B

Let's do that, so I'm gonna share my screen and give you a view of what we're doing great so I'm in a in a repo here and I'm just going to check out dependency review uh and uh first I just want to point out that to the earlier point on you know: how do we enable dependency review I've already enabled uh in this repo I've already enabled dependency graph, dependable alerts and depend bot security updates and you'll actually see that, because I have a lot of security issues, but who has time for those there are pull requests.

B

Let's go deal with that first, so I have a pull request from you know myself very, very practical here where I'm changing a manifest file and in this pull request, you'll see in the. In the normal view of this pull request of the files changed you'll see, I'm upgrading a version of a dependency, I'm a great upgrading version of another dependency and I'm adding a dependency. So actually, what I was doing here was, I was trying to add this new dependency that I have here.

B

uh Vertex unit and then I wanted to just upgrade these other two while I was at it because you know they should probably be in sync sounds good. So if I go over to the rich diff button here and I hit that what I actually get is this brand new view, which is way easier to read than what I was looking at before. That tells me that I've changed a couple of dependencies and I've added a dependency and for the dependencies that I've changed.

B

Some of them have vulnerabilities, so you know vertex web here has a high severity and a low severity vulnerability. Vertex core has a moderate and a low and the versions that I'm upgrading to not only are they super old, but they're, not the patched versions. That's not good! I can also see what license information I have for the um the vulnerabilities that I'm using in this uh sorry the dependencies that I'm using in this environment.

B

So well, that's not what I wanted to do at all. So why don't I patch these? Let's change these to 3.4, 3.5.4 and 3.5.4. So, let's go into the edit view of this quickly. Oops there we go and edit that file see how hard this would be to parse. If I was trying to do it myself, like this giant file,.

A

Oh absolutely that's impossible to even read. I hate this okay.

B

Well, I changed the 3.3.4, so 5.4, sorry, 5.4 and I'll just commit that directly to the branch that I'm looking at and uh yeah. That looks good to me. Okay, let's go over to my dependency review and dependency review, says yep you're, adding one dependency, which is what I was trying to do and I modified to my other dependencies and that's it there's no other vulnerability information here as to what I'm adding that looks great, I'm good. I feel I feel comfortable merging this. I mean you know.

B

Obviously I'm going to run my my test suite against it, but I feel pretty comfortable saying this is good to go. Let's, let's merge that in so let's do that whoo! The other thing that's really cool here about dependency review is you know I talked about all these security issues. I had to work on earlier that I wasn't going to let's go over that. Well, first thing: I don't know if you notice a flash second there. I had 14 security issues before and now I have 12. that's because I actually just fixed two of them.

B

I just fixed two of my security issues in that pull request by by upgrading those dependencies.

A

I actually super love how fast that tab updates with all the security alerts that literally happens within seconds yeah. It's.

B

Pretty cool uh and then, if I go into you know we're talking about dependent bottom. Why? I still need to pen a bot, um so dependable here sent me a pr to upgrade one of my other, my other um dependencies, and it says it fixes the security vulnerability.

B

So let's go look at that again here: I'm updating, android, svg, okay sounds good and dependency review just works. It works on the dependable pr2 and I can see that dependable is doing what it says. It does.

A

Really that is really cool, so they kind of work together in tandem with each other to help avoid vulnerabilities, yeah.

B

You can see exactly what the petabot is doing in the environment. You can see what your other developers are doing in your environment and then decide whether or not you want to include those vulnerabilities or sorry those dependencies, hopefully, no vulnerabilities in your environment.

A

I got you, hopefully no vulnerabilities, uh so this is really cool next question. I guess that yeah uh bags asking is, would dependency or if you just suggest, uh security alternatives for the vulnerable dependencies that they have.

B

So no uh dependency review just tells you whether or not something has a vulnerability, and we tell you where the patch version, what patch version you need to be able to fix that vulnerability. It doesn't yet. You know, provide a commit to your to your pr, we're not at that stage or suggest alternative dependencies, we're not there either, but hopefully for now. That should be good enough for you to go in and edit the file and start making those changes yourself.

A

And something that potentially dependable could also help me with right could help you with yeah all right, I'm in I it can. I block any packages that have known vulnerabilities or like licenses that I don't want to use and stuff like that. So.

B

That's not possible today either, but that's definitely where we're heading we're hearing a lot of interest for that. So um this is really the first step of being able to see what you're what's changing your environment from a security point of view. So then you can control. What's changing your environment from a security point of view, um yeah I have nothing. I have nothing else to say.

A

I mean I mean this is a new feature and I'm super excited about. You know people starting to use it and not seeing uh how it develops over time, because obviously uh there's a lot of cool stuff that we can do with this, but it has already given us so much in terms of upgrading dependencies.

A

uh It's one of.

B

Those things that really feels um so native to github, like it feels like it, should have been there a while ago. You know it feels.

A

Like.

B

Oh, I could just click here and see. What's changed, of course, like that's totally normal.

A

I know really all the stuff that you've been working on with the supply train just seems like it should have been a part of this system from the beginning, because, like it just feels like very integrated, very logical for us to have these features. Yeah we're.

B

Happy to just have it, you know natively in github, so it's easy for you all to use.

A

I know this is really cool, so um thank you so much for working on this and thank you for developing uh the features and thank you for being with us. um One last thing is: uh if I want to get started today, uh is there a documentation like that? I should follow or something like this.

B

Yeah, you should check out the docs the dependency review, docs we'll make sure to to link it and uh yeah.

A

All right well, thank you so much. This has been github checkout and we're gonna add some more videos in the future, so please stay tuned and click that subscribe button. Thank you very much. Bye.