Hey Dave - I pointed Snyk at Accumulo's github repo using the link [1] you provided and it claimed we have 0 Vulnerabilities via 0 paths. It doesn't look like it actually did a scan of our repo since the page returned instantly with those results. They do provide the Markup to put the 0 vulnerabilities badge in our README though... so I guess we can? Also Snyk has another page that asks for github permissions that seem rather extraneous. I stopped here because I did not want to give them permissions to write code to my repos.
[1] https://snyk.io/test On Wed, Aug 29, 2018 at 1:56 PM Dave Wichers <dave.wich...@owasp.org> wrote: > I previously provided feedback to the priv...@accumulo.apache.org list > about use of known vulnerable dependencies in Accumulo. > > I'd like to recommend the project experiment with and then adopt use of one > of the free for open source commercial tools. > > I've been using these two: > > - https://snyk.io/test - Free forever for open source > - https://www.sourceclear.com - 30 day trial only - unfortunately > > Sonatype is working on a free for open source capability, but it is still > under development. > > There is of course OWASP Dependency Check, which I understand the project > is using already, but Snyk in my experience is WAY better. > > GitHub itself has tools for doing this per: > > https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository/ > . > But apparently it only supports Ruby GEMS and Node.js as you can see here: > https://github.com/apache/accumulo/network/dependencies. As such, this > won't help Accumulo until they add Java support. > > So, for now, unless someone finds something else (or better), I'd recommend > Snyk. > > I'd also recommend trying out: https://dependabot.com/ - This free tool > can > automatically generate pull requests for your project each time it > identifies when an upgrade to any component your project uses becomes > available. It supports TONS of languages, including Java. > > I'd like to work with you on this and/or get your feedback on what > works/doesn't work, how to make their use easier/etc. > > -Dave >
