> On Feb 12, 2018, at 12:29 PM, Mark Bretl <asf.mbr...@gmail.com> wrote: > > Late to the game here, as I see this was merged today… >
Comments always appreciated :-) > The addition of the Gradle versions plugin is good and hopefully we can go > farther down the path of dependency scanning by adding security as well. > Currently, GitHub has this setup for Ruby and JavaScript [1], however it is > lacking Java dependencies. Until GitHub can support Java dependencies, I > would suggest we look at other tools, such as snyk.io [2], for tracking our > dependencies with security vulnerabilities. > dependency-check [1] from OWASP is pretty nice and easy to run automatically in a pipeline. Anthony [1] https://www.owasp.org/index.php/OWASP_Dependency_Check <https://www.owasp.org/index.php/OWASP_Dependency_Check> > --Mark > > [1] https://github.com/blog/2470-introducing-security-alerts-on-github > [2] https://snyk.io/ > > On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker <aba...@pivotal.io> wrote: > >> Hi all, >> >> I’ve got a PR [1] open that updates lots of dependencies. Please review >> and let me know if you have any concerns. I’d like to merge it early next >> week barring any objections. >> >> Thanks, >> Anthony >> >> [1] https://github.com/apache/geode/pull/1400 < >> https://github.com/apache/geode/pull/1400> >> >>