tomekowal
How do you use mix hex.audit in your CIs?
I am using mix hex.audit to make my CI pipeline red when I am using packages that are retired or have CVEs.
Today I encoutered an issue where cowlib package in its newest version 2.17.1 has low severity CVEs Security Advisories for cowlib | Hex
I don’t really want to make this check optional. If it is red for longer period of time, I will stop noticing new reports. What I would like is an allowlist mechanism where I can have an .hex_audit_ignore file where I can comment that I am aware of this low severity stuff and I am choosing to wait for the new version.
I know there is mix_audit. This one has a config. However, to run a mix task from a dependency, I need to compile that dep first. If a package was compromised, it is too late. mix hex.audit docs say to run it before any compilation.
I can also run mix_audit as an escript, but then it doesn’t read the config.
How do you deal with audits in CI? Do you work around it? Would you like to have an allowlist/ignorelist for mix hex.audit task?
Most Liked
maennchen
There’s an issue for that here: How to ignore advisories in mix hex.audit? · Issue #1194 · hexpm/hex · GitHub
Lucassifoni
Currently my CI becomes red and blocking when mix hex.audit runs and has reports, but I added an ignore list in a text file specifically for the recent cowlib CVEs since there was a slight delay. I am not very satisfied with that, but have a cron that deletes the ignorelist weekly so there is no excessive “rot” and I get automatically reminded to check if cowlib updated, by the CI re-breaking soon later.
tomekowal
Thanks for your response. I am considering creating a feature request to hex team. The mix hex.audit is clearly meant for CI, but its output depends on library maintainers, so we need a way to unblock the CI.
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









