You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am on LemmyWorld, which was hacked a few days ago. From my brief reading, the attack vector used was an XSS of some kind.
Does Lemmy-UI currently have automated code scanning to make aware security vulnerabilities? If not, is there interest in having that added? I'm not a dev on the app right now, but as a Lemmy user I'd have more confidence in the tool knowing that automated security scanning is in place.
I did some research on some options we could add to a GitHub CI job.
Sonatype is a SonarSource competitor, and they have Lift on GitHub marketplace, also free for open-source projects. https://github.com/marketplace/muse-dev
Sidenote: It's also worth considering using their OSSIndex as a package repo instead of NPM, as it's a free version of Sonatype Nexus, which does security scanning on all artifacts in the repo. It would suck to adopt a version of a express or a babel library that gets injected with malware. https://ossindex.sonatype.org/
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I am on LemmyWorld, which was hacked a few days ago. From my brief reading, the attack vector used was an XSS of some kind.
Does Lemmy-UI currently have automated code scanning to make aware security vulnerabilities? If not, is there interest in having that added? I'm not a dev on the app right now, but as a Lemmy user I'd have more confidence in the tool knowing that automated security scanning is in place.
I did some research on some options we could add to a GitHub CI job.
https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system
https://www.sonarsource.com/products/sonarcloud/
https://github.com/marketplace/muse-dev
Sidenote: It's also worth considering using their OSSIndex as a package repo instead of NPM, as it's a free version of Sonatype Nexus, which does security scanning on all artifacts in the repo. It would suck to adopt a version of a express or a babel library that gets injected with malware.
https://ossindex.sonatype.org/
https://github.com/typescript-eslint/typescript-eslint
I hope we can gather some interest here!
Beta Was this translation helpful? Give feedback.
All reactions