Dependency upgrade process #515

kaklakariada · 2024-01-24T11:06:58Z

Goal

Speedup process for fixing vulnerabilities in third party dependencies.

Implementation

When the dependencies_check.yml workflow finds new vulnerabilities in dependencies it will trigger another GitHub workflow. This new workflow will upgrade all dependencies to their latest versions.

Input

We add a new update-dependencies mode to PK that gets an optional parameter. This parameter describes:

Issue that fixes the vulnerability
Details about the vulnerability

Process

Create new branch if main branch is checked out currently
Read version from pom, increment patch version and set version in pom using maven version plugin.
Update project-keeper version in pom
Update dependencies via mvn versions:use-latest-releases && mvn versions:update-properties, see update-properties & use-latest-releases
Run PK fix
Update changelog if vulnerability details are available:
* release date = today
* Code name: Fix vulnerabilities CVE-.... in dependency ...
* Summary: This release fixes the following vulnerabilities: ...
* Changes: # Security * #... Fixed CVE-... in dependency ...
Commit to new branch & push it
Create a pull request with "Closes #..." comment

Tasks

Give feedback

Add requirements & design
Document upgrade-dependencies mode
Document how to exclude dependencies from upgrading using versions-maven-plugin's excludesList
Add upgrade-dependencies.yml GH workflow (manually triggered) that launches PK upgrade-dependencies.
Options

Open questions

Implement Git/GitHub operations (create branch, create PR, ...) in GH workflow or in PK Java code?

Delimitations / out-of-scope

No support for non-Maven projects (i.e. no pom.xml in project root folder)
Non-Maven modules (e.g. JS extensions) are not updated (potential improvement)
Non-Maven modules (e.g. JS extensions) are not scanned for vulnerabilities (out-of-scope)
Customize build artifacts in release.yml and ci-build.yml wokflows: Customize build artifacts in release.yml and ci-build.yml wokflows #517
Customize build steps in release.yml and ci-build.yml: Customize build steps in release.yml and ci-build.yml #519
Automatic release process: Automatic release process #516
Updating Maven plugins is not required, this is managed by the normal pk fix

The text was updated successfully, but these errors were encountered:

pj-spoelders · 2024-02-01T14:03:06Z

I don't know if you kept this in mind, but another nice thing would be to manually be able to batch update projects' multiple dependencies when we release something, eg in case of virtual-schema-common-jdbc being updated .. I'm not sure if that's out of scope or not.

ckunki · 2024-02-01T14:42:14Z

Review effort .2

Co-authored-by: Christoph Kuhnke <[email protected]>

Fixes #515

…cy-upgrade

…grade

…pgrade

Co-authored-by: Christoph Kuhnke <[email protected]>

…ature/#515-dependency-upgrade

Co-authored-by: Christoph Kuhnke <[email protected]>

…cy-upgrade

…ndency-upgrade

…te-changesfile

…hangesfile

Co-authored-by: Christoph Kuhnke <[email protected]>

…cy-update-workflow

…hub.com/exasol/project-keeper into feature/#515-dependency-update-workflow

Co-authored-by: Christoph Kuhnke <[email protected]>

kaklakariada · 2024-02-28T10:44:33Z

Effort: ~8pd

kaklakariada added the feature Product feature label Jan 24, 2024

kaklakariada self-assigned this Jan 24, 2024

kaklakariada added a commit that referenced this issue Jan 25, 2024

#515: Requirements & design

cfcb144

kaklakariada mentioned this issue Jan 25, 2024

#515: Add requirements & design #521

Merged

kaklakariada added a commit that referenced this issue Jan 26, 2024

#515 Add design

c6afdf9

kaklakariada added a commit that referenced this issue Jan 29, 2024

#515: Increment version

92f7943

kaklakariada mentioned this issue Jan 29, 2024

#515: Implement auto dependency update #522

Merged

kaklakariada added a commit that referenced this issue Feb 1, 2024

#515: Add requirements & design (#521)

355cc07

Co-authored-by: Christoph Kuhnke <[email protected]>

kaklakariada added a commit that referenced this issue Feb 1, 2024

Dependency upgrade process

912573b

Fixes #515

kaklakariada added a commit that referenced this issue Feb 1, 2024

Merge remote-tracking branch 'origin/main' into feature/#515-dependen…

440f754

…cy-upgrade

kaklakariada mentioned this issue Feb 7, 2024

#515: Upgrade dependencies #524

Merged

kaklakariada added a commit that referenced this issue Feb 7, 2024

#515: Refactoring

d354a61

kaklakariada added a commit that referenced this issue Feb 7, 2024

Merge branch 'step1' into #515-step2-refactoring

4151a47

kaklakariada mentioned this issue Feb 7, 2024

#515: Refactor starting a maven process: use MavenProcessBuilder #525

Merged

kaklakariada added a commit that referenced this issue Feb 8, 2024

#515: Upgrade dependencies (#524)

2ccbe00

kaklakariada added a commit that referenced this issue Feb 8, 2024

Merge remote-tracking branch 'origin/main' into #515-step2-refactoring

346ddec

kaklakariada added a commit that referenced this issue Feb 8, 2024

Merge branch '#515-step2-refactoring' into feature/#515-dependency-up…

d8f8d30

…grade

kaklakariada mentioned this issue Feb 8, 2024

#515 Parse changes file #526

Merged

kaklakariada added a commit that referenced this issue Feb 8, 2024

Merge branch '#515-parse-changes-file' into feature/#515-dependency-u…

c846632

…pgrade

kaklakariada added a commit that referenced this issue Feb 8, 2024

#515: Refactor starting a maven process: use MavenProcessBuilder (#525)

68c736c

Co-authored-by: Christoph Kuhnke <[email protected]>

kaklakariada added a commit that referenced this issue Feb 8, 2024

Merge remote-tracking branch 'origin/main' into #515-parse-changes-file

59560c9

kaklakariada added a commit that referenced this issue Feb 8, 2024

Merge remote-tracking branch 'origin/#515-parse-changes-file' into fe…

9319f9f

…ature/#515-dependency-upgrade

kaklakariada added a commit that referenced this issue Feb 8, 2024

#515 Parse changes file (#526)

30d1832

Co-authored-by: Christoph Kuhnke <[email protected]>

kaklakariada added a commit that referenced this issue Feb 8, 2024

Merge remote-tracking branch 'origin/main' into feature/#515-dependen…

8d24d1b

…cy-upgrade

kaklakariada mentioned this issue Feb 8, 2024

Refactor command executor & POM reading/writing #527

Merged

kaklakariada added a commit that referenced this issue Feb 8, 2024

Merge branch '#515-refactor-process-execution' into feature/#515-depe…

84b1492

…ndency-upgrade

kaklakariada added a commit that referenced this issue Feb 9, 2024

Merge branch 'main' into feature/#515-dependency-upgrade

757ed2a

kaklakariada added a commit that referenced this issue Feb 9, 2024

Merge branch 'feature/#515-dependency-upgrade' into feature/#515-upda…

e226ba1

…te-changesfile

kaklakariada closed this as completed in #522 Feb 22, 2024

kaklakariada added a commit that referenced this issue Feb 22, 2024

#515: Implement auto dependency update (#522)

93c05b0

kaklakariada added a commit that referenced this issue Feb 22, 2024

Merge remote-tracking branch 'origin/main' into feature/#515-update-c…

102f49f

…hangesfile

kaklakariada mentioned this issue Feb 22, 2024

#515: Update changes file #531

Merged

ckunki reopened this Feb 23, 2024

kaklakariada added a commit that referenced this issue Feb 23, 2024

#515: Update changesfile with vulnerabilities

df3a889

kaklakariada added a commit that referenced this issue Feb 26, 2024

#515: Update changes file (#531)

6c57ef6

Co-authored-by: Christoph Kuhnke <[email protected]>

kaklakariada mentioned this issue Feb 26, 2024

#515: Add dependency update workflow #532

Merged

kaklakariada added a commit that referenced this issue Feb 26, 2024

Merge remote-tracking branch 'origin/main' into feature/#515-dependen…

b791816

…cy-update-workflow

kaklakariada added a commit that referenced this issue Feb 26, 2024

Merge branch 'feature/#515-dependency-update-workflow' of https://git…

ffa7ad3

…hub.com/exasol/project-keeper into feature/#515-dependency-update-workflow

kaklakariada added a commit that referenced this issue Feb 26, 2024

#515: Add dependency update workflow (#532)

c32e5e9

Co-authored-by: Christoph Kuhnke <[email protected]>

kaklakariada closed this as completed in #532 Feb 26, 2024

kaklakariada mentioned this issue Feb 27, 2024

Checks don't run for dependency update PR #534

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency upgrade process #515

Dependency upgrade process #515

kaklakariada commented Jan 24, 2024 •

edited

Loading

Tasks

pj-spoelders commented Feb 1, 2024

ckunki commented Feb 1, 2024

kaklakariada commented Feb 28, 2024

Dependency upgrade process #515

Dependency upgrade process #515

Comments

kaklakariada commented Jan 24, 2024 • edited Loading

Goal

Implementation

Input

Process

Tasks

Open questions

Delimitations / out-of-scope

pj-spoelders commented Feb 1, 2024

ckunki commented Feb 1, 2024

kaklakariada commented Feb 28, 2024

kaklakariada commented Jan 24, 2024 •

edited

Loading