Dependabot exposes private Github repository details through changelogs

Question

Dependabot exposes private Github repository details through changelogs

jwgmeligmeyling opened this issue 4 years ago · comments

Jan-Willem Gmelig Meyling commented 4 years ago

I.e. the version bump commit for NewRelic Agent 5.10.0 listed:

Bumps newrelic-api from 5.9.0 to 5.10.0.
changelog

The link exposes the fact that the repository is hosted at https://github.com/newrelic/java_agent , but going to that repository results in a 404 exception. Unauthorised visitors should not be aware of the fact that a repository exists at that location. Therefore, links to private repositories should be omitted from the generated issue descriptions.

Philip Harrison · Answer 1 · Wed Feb 05 2020 17:57:24 GMT+0800 (China Standard Time)

@jwgmeligmeyling could you send over a pull request URL where this is visible? Or is it a private repo PR?

Jan-Willem Gmelig Meyling · Answer 2 · Wed Feb 05 2020 18:03:55 GMT+0800 (China Standard Time)

Unfortunately I can't share the PR as its non-public.

Perhaps its actually NewRelics fault in the end, as they specifically mention their SCM location in their pom.xml artefact descriptor:

<scm>
   <connection>scm:git:git@github.com:newrelic/java_agent.git</connection>
    <url>git@github.com:newrelic/java_agent.git</url>
</scm>

(Which is publicly available in Maven Central)

If the value under SCM is used to generate the link, this issue isn't at Dependabots side. But of course I can't know for sure if the repository location is mapped to the dependency through some other unintentional way.

Philip Harrison · Answer 3 · Wed Feb 05 2020 18:09:19 GMT+0800 (China Standard Time)

@jwgmeligmeyling nice find, yeah Dependabot uses that value and fetches it here: https://github.com/dependabot/dependabot-core/blob/master/maven/lib/dependabot/maven/metadata_finder.rb#L55

Philip Harrison · Answer 4 · Fri Mar 06 2020 01:30:46 GMT+0800 (China Standard Time)

Going to close this as we can't change this in Dependabot.