Robert, I believe what is being suggested is a tool that integrates into CVE reports automatically and tells us if we have a dependency with a security issue (not just whether there is a newer version). Also, there is a sweet draft PR to add Go modules[1].
1: https://github.com/apache/beam/pull/8354 On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <rob...@frantil.com> wrote: > If we move to Go Modules, the go.mod file specifies direct dependencies > and versions, and the go.sum file includes checksums of the full transitive > set of dependencies. There's likely going to be a tool for detecting if an > update is possible, if one doesn't exist in the go tooling already. > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote: > >> This seems worthwhile IMO. >> >> Ahmet, Pyup[1] is free for open source projects and has an API that >> allows for dependency checking. They can scan Github repos automatically it >> seems but it may not be compatible with how Apache permissions with Github >> work. I'm not sure if there is such a thing for Go. >> >> 1: https://pyup.io/ >> >> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ieme...@gmail.com> wrote: >> >>> I want to bring this subject back, any chance we can get this running >>> in or main repo maybe in a weekly basis like we do for the dependency >>> reports. It looks totallly worth. >>> >>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote: >>> > >>> > Thank you, I agree this is very important. Does anyone know a similar >>> tool for python and go? >>> > >>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <echauc...@apache.org> >>> wrote: >>> >> >>> >> Hi guys, >>> >> >>> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS >>> Index CVE database. >>> >> >>> >> I have set it up here in a branch [2], though the cache is not >>> configured and the number of requests is limited. It can be run with >>> "gradle --info audit" >>> >> >>> >> It could be nice to have something like this to track the CVEs in the >>> libs we use. I know we have been spammed by libs upgrade automatic requests >>> in the past but CVE are more important IMHO. >>> >> >>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 >>> licence [3] >>> >> >>> >> WDYT ? >>> >> >>> >> Etienne >>> >> >>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >>> >> [3] https://www.apache.org/legal/resolved.html >>> >>
