If we move to Go Modules, the go.mod file specifies direct dependencies and versions, and the go.sum file includes checksums of the full transitive set of dependencies. There's likely going to be a tool for detecting if an update is possible, if one doesn't exist in the go tooling already.
On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote: > This seems worthwhile IMO. > > Ahmet, Pyup[1] is free for open source projects and has an API that allows > for dependency checking. They can scan Github repos automatically it seems > but it may not be compatible with how Apache permissions with Github work. > I'm not sure if there is such a thing for Go. > > 1: https://pyup.io/ > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ieme...@gmail.com> wrote: > >> I want to bring this subject back, any chance we can get this running >> in or main repo maybe in a weekly basis like we do for the dependency >> reports. It looks totallly worth. >> >> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote: >> > >> > Thank you, I agree this is very important. Does anyone know a similar >> tool for python and go? >> > >> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <echauc...@apache.org> >> wrote: >> >> >> >> Hi guys, >> >> >> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS >> Index CVE database. >> >> >> >> I have set it up here in a branch [2], though the cache is not >> configured and the number of requests is limited. It can be run with >> "gradle --info audit" >> >> >> >> It could be nice to have something like this to track the CVEs in the >> libs we use. I know we have been spammed by libs upgrade automatic requests >> in the past but CVE are more important IMHO. >> >> >> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 >> licence [3] >> >> >> >> WDYT ? >> >> >> >> Etienne >> >> >> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >> >> [3] https://www.apache.org/legal/resolved.html >> >
