I want to bring this subject back, any chance we can get this running in or main repo maybe in a weekly basis like we do for the dependency reports. It looks totallly worth.
On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote: > > Thank you, I agree this is very important. Does anyone know a similar tool > for python and go? > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <echauc...@apache.org> wrote: >> >> Hi guys, >> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS Index >> CVE database. >> >> I have set it up here in a branch [2], though the cache is not configured >> and the number of requests is limited. It can be run with "gradle --info >> audit" >> >> It could be nice to have something like this to track the CVEs in the libs >> we use. I know we have been spammed by libs upgrade automatic requests in >> the past but CVE are more important IMHO. >> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 licence [3] >> >> WDYT ? >> >> Etienne >> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >> [3] https://www.apache.org/legal/resolved.html