This seems worthwhile IMO. Ahmet, Pyup[1] is free for open source projects and has an API that allows for dependency checking. They can scan Github repos automatically it seems but it may not be compatible with how Apache permissions with Github work. I'm not sure if there is such a thing for Go.
1: https://pyup.io/ On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ieme...@gmail.com> wrote: > I want to bring this subject back, any chance we can get this running > in or main repo maybe in a weekly basis like we do for the dependency > reports. It looks totallly worth. > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote: > > > > Thank you, I agree this is very important. Does anyone know a similar > tool for python and go? > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <echauc...@apache.org> > wrote: > >> > >> Hi guys, > >> > >> I came by this [1] gradle plugin that is a client to the Sonatype OSS > Index CVE database. > >> > >> I have set it up here in a branch [2], though the cache is not > configured and the number of requests is limited. It can be run with > "gradle --info audit" > >> > >> It could be nice to have something like this to track the CVEs in the > libs we use. I know we have been spammed by libs upgrade automatic requests > in the past but CVE are more important IMHO. > >> > >> This plugin is in BSD-3-Clause which is compatible with Apache V2 > licence [3] > >> > >> WDYT ? > >> > >> Etienne > >> > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin > >> [3] https://www.apache.org/legal/resolved.html >
