Common Vulnerabilities and Exposures (CVE) On Fri, Apr 19, 2019 at 10:33 AM Robert Burke <rob...@frantil.com> wrote:
> Ah! What's CVE stand for then? > > Re the PR: Sadly, it's more complicated than that, which I'll explain in > the PR. Otherwise it would have been done already. It's not too bad if the > time is put in though. > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote: > >> Robert, I believe what is being suggested is a tool that integrates into >> CVE reports automatically and tells us if we have a dependency with a >> security issue (not just whether there is a newer version). Also, there is >> a sweet draft PR to add Go modules[1]. >> >> 1: https://github.com/apache/beam/pull/8354 >> >> On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <rob...@frantil.com> wrote: >> >>> If we move to Go Modules, the go.mod file specifies direct dependencies >>> and versions, and the go.sum file includes checksums of the full transitive >>> set of dependencies. There's likely going to be a tool for detecting if an >>> update is possible, if one doesn't exist in the go tooling already. >>> >>> On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote: >>> >>>> This seems worthwhile IMO. >>>> >>>> Ahmet, Pyup[1] is free for open source projects and has an API that >>>> allows for dependency checking. They can scan Github repos automatically it >>>> seems but it may not be compatible with how Apache permissions with Github >>>> work. I'm not sure if there is such a thing for Go. >>>> >>>> 1: https://pyup.io/ >>>> >>>> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ieme...@gmail.com> wrote: >>>> >>>>> I want to bring this subject back, any chance we can get this running >>>>> in or main repo maybe in a weekly basis like we do for the dependency >>>>> reports. It looks totallly worth. >>>>> >>>>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote: >>>>> > >>>>> > Thank you, I agree this is very important. Does anyone know a >>>>> similar tool for python and go? >>>>> > >>>>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot < >>>>> echauc...@apache.org> wrote: >>>>> >> >>>>> >> Hi guys, >>>>> >> >>>>> >> I came by this [1] gradle plugin that is a client to the Sonatype >>>>> OSS Index CVE database. >>>>> >> >>>>> >> I have set it up here in a branch [2], though the cache is not >>>>> configured and the number of requests is limited. It can be run with >>>>> "gradle --info audit" >>>>> >> >>>>> >> It could be nice to have something like this to track the CVEs in >>>>> the libs we use. I know we have been spammed by libs upgrade automatic >>>>> requests in the past but CVE are more important IMHO. >>>>> >> >>>>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 >>>>> licence [3] >>>>> >> >>>>> >> WDYT ? >>>>> >> >>>>> >> Etienne >>>>> >> >>>>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >>>>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >>>>> >> [3] https://www.apache.org/legal/resolved.html >>>>> >>>>