Re: CVE audit gradle plugin
Hi all, Just to let you know, you can now check the vulnerabilities in libraries by running gradlew audit --info. It is a separate task that is not in the dependencies of the build (the normal build will not fail if there are vulnerabilities found).When you run it, It gives an output similar to mvn dependency:tree with red vulnerability arrow and the build fails in case of vulnerabilities found. If there is none, the build succeeds. For now, there is no more than that but it can be included into jenkins. As we did not agree on something, I did not do the integration. WDYT? EtienneLe mercredi 24 avril 2019 à 15:56 +0200, Etienne Chauchot a écrit : > Hi all,FYI I just submitted a PR (1) to add the CVE audit plugin to the build > as an optional task gradlew audit -- > info. > [1] https://github.com/apache/beam/pull/8388 > Etienne > Le mardi 23 avril 2019 à 17:25 +0200, Etienne Chauchot a écrit : > > Hi,should I merge my branch > > https://github.com/echauchot/beam/tree/cve_audit_plugin to master to > > include this tool > > to the build system then ?It will not fail the build but add an audit task > > to it. > > EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit : > > > Common Vulnerabilities and Exposures (CVE) > > > > > > On Fri, Apr 19, 2019 at 10:33 AM Robert Burke wrote: > > > > Ah! What's CVE stand for then? > > > > > > > > Re the PR: Sadly, it's more complicated than that, which I'll explain > > > > in the PR. Otherwise it would have been > > > > done already. It's not too bad if the time is put in though. > > > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik wrote: > > > > > Robert, I believe what is being suggested is a tool that integrates > > > > > into CVE reports automatically and tells > > > > > us if we have a dependency with a security issue (not just whether > > > > > there is a newer version). Also, there is a > > > > > sweet draft PR to add Go modules[1]. > > > > > 1: https://github.com/apache/beam/pull/8354 > > > > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke > > > > > wrote: > > > > > > If we move to Go Modules, the go.mod file specifies direct > > > > > > dependencies and versions, and the go.sum file > > > > > > includes checksums of the full transitive set of dependencies. > > > > > > There's likely going to be a tool for > > > > > > detecting if an update is possible, if one doesn't exist in the go > > > > > > tooling already. > > > > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik wrote: > > > > > > > This seems worthwhile IMO. > > > > > > > Ahmet, Pyup[1] is free for open source projects and has an API > > > > > > > that allows for dependency checking. They > > > > > > > can scan Github repos automatically it seems but it may not be > > > > > > > compatible with how Apache permissions with > > > > > > > Github work. I'm not sure if there is such a thing for Go. > > > > > > > > > > > > > > 1: https://pyup.io/ > > > > > > > > > > > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía > > > > > > > wrote: > > > > > > > > I want to bring this subject back, any chance we can get this > > > > > > > > running > > > > > > > > > > > > > > > > in or main repo maybe in a weekly basis like we do for the > > > > > > > > dependency > > > > > > > > > > > > > > > > reports. It looks totallly worth. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you, I agree this is very important. Does anyone know a > > > > > > > > > similar tool for python and go? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot > > > > > > > > > wrote: > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> Hi guys, > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> I came by this [1] gradle plugin that is a client to the > > > > > > > > >> Sonatype OSS Index CVE database. > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> I have set it up here in a branch [2], though the cache is > > > > > > > > >> not configured and the number of requests > > > > > > > > is limited. It can be run with "gradle --info audit" > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> It could be nice to have something like this to track the > > > > > > > > >> CVEs in the libs we use. I know we have > > > > > > > > been spammed by libs upgrade automatic requests in the past but > > > > > > > > CVE are more important IMHO. > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> This plugin is in BSD-3-Clause which is compatible with > > > > > > > > >> Apache V2 licence [3] > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> WDYT ? > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> Etienne > > > > > > > > > > > > > > > > >> > > > > > > > > >
Re: CVE audit gradle plugin
Hi all,FYI I just submitted a PR (1) to add the CVE audit plugin to the build as an optional task gradlew audit --info. [1] https://github.com/apache/beam/pull/8388 Etienne Le mardi 23 avril 2019 à 17:25 +0200, Etienne Chauchot a écrit : > Hi,should I merge my branch > https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include > this tool to > the build system then ?It will not fail the build but add an audit task to it. > EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit : > > Common Vulnerabilities and Exposures (CVE) > > > > On Fri, Apr 19, 2019 at 10:33 AM Robert Burke wrote: > > > Ah! What's CVE stand for then? > > > > > > Re the PR: Sadly, it's more complicated than that, which I'll explain in > > > the PR. Otherwise it would have been done > > > already. It's not too bad if the time is put in though. > > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik wrote: > > > > Robert, I believe what is being suggested is a tool that integrates > > > > into CVE reports automatically and tells us > > > > if we have a dependency with a security issue (not just whether there > > > > is a newer version). Also, there is a > > > > sweet draft PR to add Go modules[1]. > > > > 1: https://github.com/apache/beam/pull/8354 > > > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke > > > > wrote: > > > > > If we move to Go Modules, the go.mod file specifies direct > > > > > dependencies and versions, and the go.sum file > > > > > includes checksums of the full transitive set of dependencies. > > > > > There's likely going to be a tool for detecting > > > > > if an update is possible, if one doesn't exist in the go tooling > > > > > already. > > > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik wrote: > > > > > > This seems worthwhile IMO. > > > > > > Ahmet, Pyup[1] is free for open source projects and has an API that > > > > > > allows for dependency checking. They can > > > > > > scan Github repos automatically it seems but it may not be > > > > > > compatible with how Apache permissions with > > > > > > Github work. I'm not sure if there is such a thing for Go. > > > > > > > > > > > > 1: https://pyup.io/ > > > > > > > > > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía > > > > > > wrote: > > > > > > > I want to bring this subject back, any chance we can get this > > > > > > > running > > > > > > > > > > > > > > in or main repo maybe in a weekly basis like we do for the > > > > > > > dependency > > > > > > > > > > > > > > reports. It looks totallly worth. > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you, I agree this is very important. Does anyone know a > > > > > > > > similar tool for python and go? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot > > > > > > > > wrote: > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> Hi guys, > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> I came by this [1] gradle plugin that is a client to the > > > > > > > >> Sonatype OSS Index CVE database. > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> I have set it up here in a branch [2], though the cache is not > > > > > > > >> configured and the number of requests is > > > > > > > limited. It can be run with "gradle --info audit" > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> It could be nice to have something like this to track the CVEs > > > > > > > >> in the libs we use. I know we have been > > > > > > > spammed by libs upgrade automatic requests in the past but CVE > > > > > > > are more important IMHO. > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> This plugin is in BSD-3-Clause which is compatible with Apache > > > > > > > >> V2 licence [3] > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> WDYT ? > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> Etienne > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin > > > > > > > > > > > > > > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin > > > > > > > > > > > > > > >> [3] https://www.apache.org/legal/resolved.html > > > > > > >
Re: CVE audit gradle plugin
Hi,should I merge my branch https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include this tool to the build system then ?It will not fail the build but add an audit task to it. EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit : > Common Vulnerabilities and Exposures (CVE) > > On Fri, Apr 19, 2019 at 10:33 AM Robert Burke wrote: > > Ah! What's CVE stand for then? > > > > Re the PR: Sadly, it's more complicated than that, which I'll explain in > > the PR. Otherwise it would have been done > > already. It's not too bad if the time is put in though. > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik wrote: > > > Robert, I believe what is being suggested is a tool that integrates into > > > CVE reports automatically and tells us if > > > we have a dependency with a security issue (not just whether there is a > > > newer version). Also, there is a sweet > > > draft PR to add Go modules[1]. > > > 1: https://github.com/apache/beam/pull/8354 > > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke wrote: > > > > If we move to Go Modules, the go.mod file specifies direct dependencies > > > > and versions, and the go.sum file > > > > includes checksums of the full transitive set of dependencies. There's > > > > likely going to be a tool for detecting > > > > if an update is possible, if one doesn't exist in the go tooling > > > > already. > > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik wrote: > > > > > This seems worthwhile IMO. > > > > > Ahmet, Pyup[1] is free for open source projects and has an API that > > > > > allows for dependency checking. They can > > > > > scan Github repos automatically it seems but it may not be compatible > > > > > with how Apache permissions with Github > > > > > work. I'm not sure if there is such a thing for Go. > > > > > > > > > > 1: https://pyup.io/ > > > > > > > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía > > > > > wrote: > > > > > > I want to bring this subject back, any chance we can get this > > > > > > running > > > > > > > > > > > > in or main repo maybe in a weekly basis like we do for the > > > > > > dependency > > > > > > > > > > > > reports. It looks totallly worth. > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you, I agree this is very important. Does anyone know a > > > > > > > similar tool for python and go? > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot > > > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > >> Hi guys, > > > > > > > > > > > > >> > > > > > > > > > > > > >> I came by this [1] gradle plugin that is a client to the > > > > > > >> Sonatype OSS Index CVE database. > > > > > > > > > > > > >> > > > > > > > > > > > > >> I have set it up here in a branch [2], though the cache is not > > > > > > >> configured and the number of requests is > > > > > > limited. It can be run with "gradle --info audit" > > > > > > > > > > > > >> > > > > > > > > > > > > >> It could be nice to have something like this to track the CVEs > > > > > > >> in the libs we use. I know we have been > > > > > > spammed by libs upgrade automatic requests in the past but CVE are > > > > > > more important IMHO. > > > > > > > > > > > > >> > > > > > > > > > > > > >> This plugin is in BSD-3-Clause which is compatible with Apache > > > > > > >> V2 licence [3] > > > > > > > > > > > > >> > > > > > > > > > > > > >> WDYT ? > > > > > > > > > > > > >> > > > > > > > > > > > > >> Etienne > > > > > > > > > > > > >> > > > > > > > > > > > > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin > > > > > > > > > > > > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin > > > > > > > > > > > > >> [3] https://www.apache.org/legal/resolved.html > > > > > >
Re: CVE audit gradle plugin
Common Vulnerabilities and Exposures (CVE) On Fri, Apr 19, 2019 at 10:33 AM Robert Burke wrote: > Ah! What's CVE stand for then? > > Re the PR: Sadly, it's more complicated than that, which I'll explain in > the PR. Otherwise it would have been done already. It's not too bad if the > time is put in though. > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik wrote: > >> Robert, I believe what is being suggested is a tool that integrates into >> CVE reports automatically and tells us if we have a dependency with a >> security issue (not just whether there is a newer version). Also, there is >> a sweet draft PR to add Go modules[1]. >> >> 1: https://github.com/apache/beam/pull/8354 >> >> On Fri, Apr 19, 2019 at 10:12 AM Robert Burke wrote: >> >>> If we move to Go Modules, the go.mod file specifies direct dependencies >>> and versions, and the go.sum file includes checksums of the full transitive >>> set of dependencies. There's likely going to be a tool for detecting if an >>> update is possible, if one doesn't exist in the go tooling already. >>> >>> On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik wrote: >>> This seems worthwhile IMO. Ahmet, Pyup[1] is free for open source projects and has an API that allows for dependency checking. They can scan Github repos automatically it seems but it may not be compatible with how Apache permissions with Github work. I'm not sure if there is such a thing for Go. 1: https://pyup.io/ On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía wrote: > I want to bring this subject back, any chance we can get this running > in or main repo maybe in a weekly basis like we do for the dependency > reports. It looks totallly worth. > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote: > > > > Thank you, I agree this is very important. Does anyone know a > similar tool for python and go? > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot < > echauc...@apache.org> wrote: > >> > >> Hi guys, > >> > >> I came by this [1] gradle plugin that is a client to the Sonatype > OSS Index CVE database. > >> > >> I have set it up here in a branch [2], though the cache is not > configured and the number of requests is limited. It can be run with > "gradle --info audit" > >> > >> It could be nice to have something like this to track the CVEs in > the libs we use. I know we have been spammed by libs upgrade automatic > requests in the past but CVE are more important IMHO. > >> > >> This plugin is in BSD-3-Clause which is compatible with Apache V2 > licence [3] > >> > >> WDYT ? > >> > >> Etienne > >> > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin > >> [3] https://www.apache.org/legal/resolved.html >
Re: CVE audit gradle plugin
Ah! What's CVE stand for then? Re the PR: Sadly, it's more complicated than that, which I'll explain in the PR. Otherwise it would have been done already. It's not too bad if the time is put in though. On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik wrote: > Robert, I believe what is being suggested is a tool that integrates into > CVE reports automatically and tells us if we have a dependency with a > security issue (not just whether there is a newer version). Also, there is > a sweet draft PR to add Go modules[1]. > > 1: https://github.com/apache/beam/pull/8354 > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke wrote: > >> If we move to Go Modules, the go.mod file specifies direct dependencies >> and versions, and the go.sum file includes checksums of the full transitive >> set of dependencies. There's likely going to be a tool for detecting if an >> update is possible, if one doesn't exist in the go tooling already. >> >> On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik wrote: >> >>> This seems worthwhile IMO. >>> >>> Ahmet, Pyup[1] is free for open source projects and has an API that >>> allows for dependency checking. They can scan Github repos automatically it >>> seems but it may not be compatible with how Apache permissions with Github >>> work. I'm not sure if there is such a thing for Go. >>> >>> 1: https://pyup.io/ >>> >>> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía wrote: >>> I want to bring this subject back, any chance we can get this running in or main repo maybe in a weekly basis like we do for the dependency reports. It looks totallly worth. On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote: > > Thank you, I agree this is very important. Does anyone know a similar tool for python and go? > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot < echauc...@apache.org> wrote: >> >> Hi guys, >> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS Index CVE database. >> >> I have set it up here in a branch [2], though the cache is not configured and the number of requests is limited. It can be run with "gradle --info audit" >> >> It could be nice to have something like this to track the CVEs in the libs we use. I know we have been spammed by libs upgrade automatic requests in the past but CVE are more important IMHO. >> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 licence [3] >> >> WDYT ? >> >> Etienne >> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >> [3] https://www.apache.org/legal/resolved.html >>>
Re: CVE audit gradle plugin
Robert, I believe what is being suggested is a tool that integrates into CVE reports automatically and tells us if we have a dependency with a security issue (not just whether there is a newer version). Also, there is a sweet draft PR to add Go modules[1]. 1: https://github.com/apache/beam/pull/8354 On Fri, Apr 19, 2019 at 10:12 AM Robert Burke wrote: > If we move to Go Modules, the go.mod file specifies direct dependencies > and versions, and the go.sum file includes checksums of the full transitive > set of dependencies. There's likely going to be a tool for detecting if an > update is possible, if one doesn't exist in the go tooling already. > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik wrote: > >> This seems worthwhile IMO. >> >> Ahmet, Pyup[1] is free for open source projects and has an API that >> allows for dependency checking. They can scan Github repos automatically it >> seems but it may not be compatible with how Apache permissions with Github >> work. I'm not sure if there is such a thing for Go. >> >> 1: https://pyup.io/ >> >> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía wrote: >> >>> I want to bring this subject back, any chance we can get this running >>> in or main repo maybe in a weekly basis like we do for the dependency >>> reports. It looks totallly worth. >>> >>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote: >>> > >>> > Thank you, I agree this is very important. Does anyone know a similar >>> tool for python and go? >>> > >>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot >>> wrote: >>> >> >>> >> Hi guys, >>> >> >>> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS >>> Index CVE database. >>> >> >>> >> I have set it up here in a branch [2], though the cache is not >>> configured and the number of requests is limited. It can be run with >>> "gradle --info audit" >>> >> >>> >> It could be nice to have something like this to track the CVEs in the >>> libs we use. I know we have been spammed by libs upgrade automatic requests >>> in the past but CVE are more important IMHO. >>> >> >>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 >>> licence [3] >>> >> >>> >> WDYT ? >>> >> >>> >> Etienne >>> >> >>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >>> >> [3] https://www.apache.org/legal/resolved.html >>> >>
Re: CVE audit gradle plugin
If we move to Go Modules, the go.mod file specifies direct dependencies and versions, and the go.sum file includes checksums of the full transitive set of dependencies. There's likely going to be a tool for detecting if an update is possible, if one doesn't exist in the go tooling already. On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik wrote: > This seems worthwhile IMO. > > Ahmet, Pyup[1] is free for open source projects and has an API that allows > for dependency checking. They can scan Github repos automatically it seems > but it may not be compatible with how Apache permissions with Github work. > I'm not sure if there is such a thing for Go. > > 1: https://pyup.io/ > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía wrote: > >> I want to bring this subject back, any chance we can get this running >> in or main repo maybe in a weekly basis like we do for the dependency >> reports. It looks totallly worth. >> >> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote: >> > >> > Thank you, I agree this is very important. Does anyone know a similar >> tool for python and go? >> > >> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot >> wrote: >> >> >> >> Hi guys, >> >> >> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS >> Index CVE database. >> >> >> >> I have set it up here in a branch [2], though the cache is not >> configured and the number of requests is limited. It can be run with >> "gradle --info audit" >> >> >> >> It could be nice to have something like this to track the CVEs in the >> libs we use. I know we have been spammed by libs upgrade automatic requests >> in the past but CVE are more important IMHO. >> >> >> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 >> licence [3] >> >> >> >> WDYT ? >> >> >> >> Etienne >> >> >> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >> >> [3] https://www.apache.org/legal/resolved.html >> >
Re: CVE audit gradle plugin
This seems worthwhile IMO. Ahmet, Pyup[1] is free for open source projects and has an API that allows for dependency checking. They can scan Github repos automatically it seems but it may not be compatible with how Apache permissions with Github work. I'm not sure if there is such a thing for Go. 1: https://pyup.io/ On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía wrote: > I want to bring this subject back, any chance we can get this running > in or main repo maybe in a weekly basis like we do for the dependency > reports. It looks totallly worth. > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote: > > > > Thank you, I agree this is very important. Does anyone know a similar > tool for python and go? > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot > wrote: > >> > >> Hi guys, > >> > >> I came by this [1] gradle plugin that is a client to the Sonatype OSS > Index CVE database. > >> > >> I have set it up here in a branch [2], though the cache is not > configured and the number of requests is limited. It can be run with > "gradle --info audit" > >> > >> It could be nice to have something like this to track the CVEs in the > libs we use. I know we have been spammed by libs upgrade automatic requests > in the past but CVE are more important IMHO. > >> > >> This plugin is in BSD-3-Clause which is compatible with Apache V2 > licence [3] > >> > >> WDYT ? > >> > >> Etienne > >> > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin > >> [3] https://www.apache.org/legal/resolved.html >
Re: CVE audit gradle plugin
I want to bring this subject back, any chance we can get this running in or main repo maybe in a weekly basis like we do for the dependency reports. It looks totallly worth. On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote: > > Thank you, I agree this is very important. Does anyone know a similar tool > for python and go? > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot wrote: >> >> Hi guys, >> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS Index >> CVE database. >> >> I have set it up here in a branch [2], though the cache is not configured >> and the number of requests is limited. It can be run with "gradle --info >> audit" >> >> It could be nice to have something like this to track the CVEs in the libs >> we use. I know we have been spammed by libs upgrade automatic requests in >> the past but CVE are more important IMHO. >> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 licence [3] >> >> WDYT ? >> >> Etienne >> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >> [3] https://www.apache.org/legal/resolved.html
Re: CVE audit gradle plugin
Thank you, I agree this is very important. Does anyone know a similar tool for python and go? On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot wrote: > Hi guys, > > I came by this [1] gradle plugin that is a client to the Sonatype OSS > Index CVE database. > > I have set it up here in a branch [2], though the cache is not configured > and the number of requests is limited. It can be run with "gradle --info > audit" > > It could be nice to have something like this to track the CVEs in the libs > we use. I know we have been spammed by libs upgrade automatic requests in > the past but CVE are more important IMHO. > > This plugin is in BSD-3-Clause which is compatible with Apache V2 licence > [3] > > WDYT ? > > Etienne > > [1] https://github.com/OSSIndex/ossindex-gradle-plugin > [2] https://github.com/echauchot/beam/tree/cve_audit_plugin > [3] https://www.apache.org/legal/resolved.html >
