OWASP is good too, even has a Gradle plugin [1] --Mark
[1] https://github.com/jeremylong/dependency-check-gradle On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker <aba...@pivotal.io> wrote: > > > > On Feb 12, 2018, at 12:29 PM, Mark Bretl <asf.mbr...@gmail.com> wrote: > > > > Late to the game here, as I see this was merged today… > > > > Comments always appreciated :-) > > > The addition of the Gradle versions plugin is good and hopefully we can > go > > farther down the path of dependency scanning by adding security as well. > > Currently, GitHub has this setup for Ruby and JavaScript [1], however it > is > > lacking Java dependencies. Until GitHub can support Java dependencies, I > > would suggest we look at other tools, such as snyk.io [2], for tracking > our > > dependencies with security vulnerabilities. > > > > dependency-check [1] from OWASP is pretty nice and easy to run > automatically in a pipeline. > > Anthony > > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check < > https://www.owasp.org/index.php/OWASP_Dependency_Check> > > > > --Mark > > > > [1] https://github.com/blog/2470-introducing-security-alerts-on-github > > [2] https://snyk.io/ > > > > On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker <aba...@pivotal.io> wrote: > > > >> Hi all, > >> > >> I’ve got a PR [1] open that updates lots of dependencies. Please review > >> and let me know if you have any concerns. I’d like to merge it early > next > >> week barring any objections. > >> > >> Thanks, > >> Anthony > >> > >> [1] https://github.com/apache/geode/pull/1400 < > >> https://github.com/apache/geode/pull/1400> > >> > >> > >
