Is there any processes in place for the review of code, to check for vulnerabilities in Bioconductor or any of its dependencies, etc? How do you handle remediation's, notifications or updates in the event a vulnerability or other malicious component is discovered?
Bioconductor is not a monolithic application, but a (large) collection of software packages.
All new Bioconductor package contributions receive a technical review, but this does not specifically target security vulnerabilities.
Once accepted, maintainers make commits to our git repository. There is little code review at this stage.
Bioconductor packages are almost exclusively source (R, C, C++, Fortran, etc) code in git. The main dependencies are therefore R itself, and system library dependencies. Generally, system dependencies must be satisfied by the user, and hence vulnerabilities in these libraries are not under our control. R itself responds promptly to security vulnerabilities. We try to maintain our own systems in a reasonably current state, with regular application of security and other OS updates.
The path from our git repository to build system to public repository is through https.
Our response is like our response to this query -- prompt assessment of the concern and immediate action, e.g., removing problematic packages from our public repositories, notifying upstream sources, and if necessary sharing concerns with our community through this support site, our developer mailing list, and our community slack.
From a developer's perspective, I can also add that our GitHub repositories from where we push code to Bioconductor are protected with SSH keys. I also have an additional security layer via 2FA phone authentication.
rhnewman, I have worked in a lot of different places and have seen varying degrees of security measures. In the most secure scenario, everything would be installed by a system administrator, even R packages, and users would have absolutely no rights to write any new file to disk. In other high secure environments, users would log in to a Virtual Environment where some more control is given to them, with the main / core IT system protected by being outside of this virtual environment.
It would be important to define multiple 'layers' of security, whereby, even if one is breached, a lot more [layers] have to be breached before any major damage can be done.
Use of this site constitutes acceptance of our User Agreement and Privacy Policy.
version 2.3.6
can you provide context for your question?
Our Institute is heavy on security and we vet anything that gets installed in our environment as we were hit a couple of times with ransomware and other malicious activity. A couple of those were from "open-source" applications that our researchers introduced into the environment. Because of this, we have developed policy to determine which applications may be both useful and secure. It is worthy to note we do understand not everything is perfectly secure but we do try to mitigate potential issues up front to keep our environment as safe and secure but continue to give our researchers the tools to work suitably. Thank you.