Re: Updating dependencies

2018-02-13 Thread Anthony Baker 
Interesting idea.  I’m also looking at 
https://github.com/nebula-plugins/gradle-dependency-lock-plugin 
.

Anthony


> On Feb 13, 2018, at 8:15 AM, John Blum  wrote:
> 
> Ever consider inheriting from *Spring Boot's* dependency BOM file [1] by
> applying the *Spring *Dependencies Management Gradle Plugin?  The advantage
> of plugin over this [2] is that you are guaranteed to get a curated and
> harmonized list of *Spring* and 3rd party (transitive) dependencies that
> have all been tested and proven to work together.  This is the fundamental
> basis for the *Spring IO Platform*. [3]
> 
> General guidance can be found here [4], and you may specifically be
> interested in this [5].  You can learn more here [6].
> 
> -j
> 
> 
> [1]
> https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#reacting-to-other-plugins-dependency-management
> [2]
> https://github.com/apache/geode/blob/rel/v1.4.0/gradle/dependency-versions.properties
> [3] https://platform.spring.io/platform/
> [4]
> https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies
> [5]
> https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies-using-in-isolation
> [6]
> https://github.com/spring-gradle-plugins/dependency-management-plugin/blob/master/README.md
> 
> 
> On Mon, Feb 12, 2018 at 2:14 PM, Mark Bretl  wrote:
> 
>> OWASP is good too, even has a Gradle plugin [1]
>> 
>> --Mark
>> 
>> [1] https://github.com/jeremylong/dependency-check-gradle
>> 
>> On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker  wrote:
>> 
>>> 
>>> 
 On Feb 12, 2018, at 12:29 PM, Mark Bretl  wrote:
 
 Late to the game here, as I see this was merged today…
 
>>> 
>>> Comments always appreciated :-)
>>> 
 The addition of the Gradle versions plugin is good and hopefully we can
>>> go
 farther down the path of dependency scanning by adding security as
>> well.
 Currently, GitHub has this setup for Ruby and JavaScript [1], however
>> it
>>> is
 lacking Java dependencies. Until GitHub can support Java dependencies,
>> I
 would suggest we look at other tools, such as snyk.io [2], for
>> tracking
>>> our
 dependencies with security vulnerabilities.
 
>>> 
>>> dependency-check [1] from OWASP is pretty nice and easy to run
>>> automatically in a pipeline.
>>> 
>>> Anthony
>>> 
>>> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check <
>>> https://www.owasp.org/index.php/OWASP_Dependency_Check>
>>> 
>>> 
 --Mark
 
 [1] https://github.com/blog/2470-introducing-security-alerts-on-github
 [2] https://snyk.io/
 
 On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker 
>> wrote:
 
> Hi all,
> 
> I’ve got a PR [1] open that updates lots of dependencies.  Please
>> review
> and let me know if you have any concerns.  I’d like to merge it early
>>> next
> week barring any objections.
> 
> Thanks,
> Anthony
> 
> [1] https://github.com/apache/geode/pull/1400 <
> https://github.com/apache/geode/pull/1400>
> 
> 
>>> 
>>> 
>> 
> 
> 
> 
> -- 
> -John
> john.blum10101 (skype)

Re: Updating dependencies

2018-02-13 Thread John Blum 
Ever consider inheriting from *Spring Boot's* dependency BOM file [1] by
applying the *Spring *Dependencies Management Gradle Plugin?  The advantage
of plugin over this [2] is that you are guaranteed to get a curated and
harmonized list of *Spring* and 3rd party (transitive) dependencies that
have all been tested and proven to work together.  This is the fundamental
basis for the *Spring IO Platform*. [3]

General guidance can be found here [4], and you may specifically be
interested in this [5].  You can learn more here [6].

-j


[1]
https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#reacting-to-other-plugins-dependency-management
[2]
https://github.com/apache/geode/blob/rel/v1.4.0/gradle/dependency-versions.properties
[3] https://platform.spring.io/platform/
[4]
https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies
[5]
https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies-using-in-isolation
[6]
https://github.com/spring-gradle-plugins/dependency-management-plugin/blob/master/README.md


On Mon, Feb 12, 2018 at 2:14 PM, Mark Bretl  wrote:

> OWASP is good too, even has a Gradle plugin [1]
>
> --Mark
>
> [1] https://github.com/jeremylong/dependency-check-gradle
>
> On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker  wrote:
>
> >
> >
> > > On Feb 12, 2018, at 12:29 PM, Mark Bretl  wrote:
> > >
> > > Late to the game here, as I see this was merged today…
> > >
> >
> > Comments always appreciated :-)
> >
> > > The addition of the Gradle versions plugin is good and hopefully we can
> > go
> > > farther down the path of dependency scanning by adding security as
> well.
> > > Currently, GitHub has this setup for Ruby and JavaScript [1], however
> it
> > is
> > > lacking Java dependencies. Until GitHub can support Java dependencies,
> I
> > > would suggest we look at other tools, such as snyk.io [2], for
> tracking
> > our
> > > dependencies with security vulnerabilities.
> > >
> >
> > dependency-check [1] from OWASP is pretty nice and easy to run
> > automatically in a pipeline.
> >
> > Anthony
> >
> > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check <
> > https://www.owasp.org/index.php/OWASP_Dependency_Check>
> >
> >
> > > --Mark
> > >
> > > [1] https://github.com/blog/2470-introducing-security-alerts-on-github
> > > [2] https://snyk.io/
> > >
> > > On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker 
> wrote:
> > >
> > >> Hi all,
> > >>
> > >> I’ve got a PR [1] open that updates lots of dependencies.  Please
> review
> > >> and let me know if you have any concerns.  I’d like to merge it early
> > next
> > >> week barring any objections.
> > >>
> > >> Thanks,
> > >> Anthony
> > >>
> > >> [1] https://github.com/apache/geode/pull/1400 <
> > >> https://github.com/apache/geode/pull/1400>
> > >>
> > >>
> >
> >
>



-- 
-John
john.blum10101 (skype)

Re: Updating dependencies

2018-02-12 Thread Mark Bretl 
OWASP is good too, even has a Gradle plugin [1]

--Mark

[1] https://github.com/jeremylong/dependency-check-gradle

On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker  wrote:

>
>
> > On Feb 12, 2018, at 12:29 PM, Mark Bretl  wrote:
> >
> > Late to the game here, as I see this was merged today…
> >
>
> Comments always appreciated :-)
>
> > The addition of the Gradle versions plugin is good and hopefully we can
> go
> > farther down the path of dependency scanning by adding security as well.
> > Currently, GitHub has this setup for Ruby and JavaScript [1], however it
> is
> > lacking Java dependencies. Until GitHub can support Java dependencies, I
> > would suggest we look at other tools, such as snyk.io [2], for tracking
> our
> > dependencies with security vulnerabilities.
> >
>
> dependency-check [1] from OWASP is pretty nice and easy to run
> automatically in a pipeline.
>
> Anthony
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check <
> https://www.owasp.org/index.php/OWASP_Dependency_Check>
>
>
> > --Mark
> >
> > [1] https://github.com/blog/2470-introducing-security-alerts-on-github
> > [2] https://snyk.io/
> >
> > On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker  wrote:
> >
> >> Hi all,
> >>
> >> I’ve got a PR [1] open that updates lots of dependencies.  Please review
> >> and let me know if you have any concerns.  I’d like to merge it early
> next
> >> week barring any objections.
> >>
> >> Thanks,
> >> Anthony
> >>
> >> [1] https://github.com/apache/geode/pull/1400 <
> >> https://github.com/apache/geode/pull/1400>
> >>
> >>
>
>

Re: Updating dependencies

2018-02-12 Thread Anthony Baker 


> On Feb 12, 2018, at 12:29 PM, Mark Bretl  wrote:
> 
> Late to the game here, as I see this was merged today…
> 

Comments always appreciated :-)

> The addition of the Gradle versions plugin is good and hopefully we can go
> farther down the path of dependency scanning by adding security as well.
> Currently, GitHub has this setup for Ruby and JavaScript [1], however it is
> lacking Java dependencies. Until GitHub can support Java dependencies, I
> would suggest we look at other tools, such as snyk.io [2], for tracking our
> dependencies with security vulnerabilities.
> 

dependency-check [1] from OWASP is pretty nice and easy to run automatically in 
a pipeline.

Anthony

[1] https://www.owasp.org/index.php/OWASP_Dependency_Check 



> --Mark
> 
> [1] https://github.com/blog/2470-introducing-security-alerts-on-github
> [2] https://snyk.io/
> 
> On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker  wrote:
> 
>> Hi all,
>> 
>> I’ve got a PR [1] open that updates lots of dependencies.  Please review
>> and let me know if you have any concerns.  I’d like to merge it early next
>> week barring any objections.
>> 
>> Thanks,
>> Anthony
>> 
>> [1] https://github.com/apache/geode/pull/1400 <
>> https://github.com/apache/geode/pull/1400>
>> 
>>

Re: Updating dependencies

2018-02-12 Thread Mark Bretl 
Late to the game here, as I see this was merged today...

The addition of the Gradle versions plugin is good and hopefully we can go
farther down the path of dependency scanning by adding security as well.
Currently, GitHub has this setup for Ruby and JavaScript [1], however it is
lacking Java dependencies. Until GitHub can support Java dependencies, I
would suggest we look at other tools, such as snyk.io [2], for tracking our
dependencies with security vulnerabilities.

--Mark

[1] https://github.com/blog/2470-introducing-security-alerts-on-github
[2] https://snyk.io/

On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker  wrote:

> Hi all,
>
> I’ve got a PR [1] open that updates lots of dependencies.  Please review
> and let me know if you have any concerns.  I’d like to merge it early next
> week barring any objections.
>
> Thanks,
> Anthony
>
> [1] https://github.com/apache/geode/pull/1400 <
> https://github.com/apache/geode/pull/1400>
>
>