Hi,should I merge my branch
https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include
this tool to
the build system then ?It will not fail the build but add an audit task to it.
EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit :
> Common Vulnerabilities and Exposures (CVE)
>
> On Fri, Apr 19, 2019 at 10:33 AM Robert Burke <rob...@frantil.com> wrote:
> > Ah! What's CVE stand for then?
> >
> > Re the PR: Sadly, it's more complicated than that, which I'll explain in
> > the PR. Otherwise it would have been done
> > already. It's not too bad if the time is put in though.
> > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote:
> > > Robert, I believe what is being suggested is a tool that integrates into
> > > CVE reports automatically and tells us if
> > > we have a dependency with a security issue (not just whether there is a
> > > newer version). Also, there is a sweet
> > > draft PR to add Go modules[1].
> > > 1: https://github.com/apache/beam/pull/8354
> > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <rob...@frantil.com> wrote:
> > > > If we move to Go Modules, the go.mod file specifies direct dependencies
> > > > and versions, and the go.sum file
> > > > includes checksums of the full transitive set of dependencies. There's
> > > > likely going to be a tool for detecting
> > > > if an update is possible, if one doesn't exist in the go tooling
> > > > already.
> > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
> > > > > This seems worthwhile IMO.
> > > > > Ahmet, Pyup[1] is free for open source projects and has an API that
> > > > > allows for dependency checking. They can
> > > > > scan Github repos automatically it seems but it may not be compatible
> > > > > with how Apache permissions with Github
> > > > > work. I'm not sure if there is such a thing for Go.
> > > > >
> > > > > 1: https://pyup.io/
> > > > >
> > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ieme...@gmail.com>
> > > > > wrote:
> > > > > > I want to bring this subject back, any chance we can get this
> > > > > > running
> > > > > >
> > > > > > in or main repo maybe in a weekly basis like we do for the
> > > > > > dependency
> > > > > >
> > > > > > reports. It looks totallly worth.
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
> > > > > >
> > > > > > >
> > > > > >
> > > > > > > Thank you, I agree this is very important. Does anyone know a
> > > > > > > similar tool for python and go?
> > > > > >
> > > > > > >
> > > > > >
> > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot
> > > > > > > <echauc...@apache.org> wrote:
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> Hi guys,
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> I came by this [1] gradle plugin that is a client to the
> > > > > > >> Sonatype OSS Index CVE database.
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> I have set it up here in a branch [2], though the cache is not
> > > > > > >> configured and the number of requests is
> > > > > > limited. It can be run with "gradle --info audit"
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> It could be nice to have something like this to track the CVEs
> > > > > > >> in the libs we use. I know we have been
> > > > > > spammed by libs upgrade automatic requests in the past but CVE are
> > > > > > more important IMHO.
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> This plugin is in BSD-3-Clause which is compatible with Apache
> > > > > > >> V2 licence [3]
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> WDYT ?
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> Etienne
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
> > > > > >
> > > > > > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
> > > > > >
> > > > > > >> [3] https://www.apache.org/legal/resolved.html
> > > > > >
