Technology Radar
Published : Sep 27, 2023
NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar.
Understand more
Sep 2023
Trial
软件供应链的复杂性是一个重大风险,我们已经在一些文章中进行过讨论,例如 SBOM 与 SLSA 。对于大多数团队来说,致命弱点仍然是依赖项中存在漏洞,通常是来自于多层的间接依赖项。Dependabot 等工具可以通过创建拉取请求 (PR) 来更新依赖项。不过,团队仍然需要制定工程纪律,以确保及时处理这些 PR,尤其是对长时间不活跃的应用程序或服务提交的 PR。
如果系统具有广泛的测试覆盖范围——不仅有完善的单元测试,还包括有功能和性能测试,并且构建流水线必须运行所有这些测试以及安全扫描,我们更提倡自动合并依赖项更新 PR。 简而言之,团队必须完全相信,流水线运行成功后,软件就可以投入生产。在这种情况下,依赖项更新 PR,即使它们在间接依赖项中包含主要版本更新,也应该自动合并。
