Ah! What's CVE stand for then? Re the PR: Sadly, it's more complicated than that, which I'll explain in the PR. Otherwise it would have been done already. It's not too bad if the time is put in though.
On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote: > Robert, I believe what is being suggested is a tool that integrates into > CVE reports automatically and tells us if we have a dependency with a > security issue (not just whether there is a newer version). Also, there is > a sweet draft PR to add Go modules[1]. > > 1: https://github.com/apache/beam/pull/8354 > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <rob...@frantil.com> wrote: > >> If we move to Go Modules, the go.mod file specifies direct dependencies >> and versions, and the go.sum file includes checksums of the full transitive >> set of dependencies. There's likely going to be a tool for detecting if an >> update is possible, if one doesn't exist in the go tooling already. >> >> On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote: >> >>> This seems worthwhile IMO. >>> >>> Ahmet, Pyup[1] is free for open source projects and has an API that >>> allows for dependency checking. They can scan Github repos automatically it >>> seems but it may not be compatible with how Apache permissions with Github >>> work. I'm not sure if there is such a thing for Go. >>> >>> 1: https://pyup.io/ >>> >>> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ieme...@gmail.com> wrote: >>> >>>> I want to bring this subject back, any chance we can get this running >>>> in or main repo maybe in a weekly basis like we do for the dependency >>>> reports. It looks totallly worth. >>>> >>>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote: >>>> > >>>> > Thank you, I agree this is very important. Does anyone know a similar >>>> tool for python and go? >>>> > >>>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot < >>>> echauc...@apache.org> wrote: >>>> >> >>>> >> Hi guys, >>>> >> >>>> >> I came by this [1] gradle plugin that is a client to the Sonatype >>>> OSS Index CVE database. >>>> >> >>>> >> I have set it up here in a branch [2], though the cache is not >>>> configured and the number of requests is limited. It can be run with >>>> "gradle --info audit" >>>> >> >>>> >> It could be nice to have something like this to track the CVEs in >>>> the libs we use. I know we have been spammed by libs upgrade automatic >>>> requests in the past but CVE are more important IMHO. >>>> >> >>>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2 >>>> licence [3] >>>> >> >>>> >> WDYT ? >>>> >> >>>> >> Etienne >>>> >> >>>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin >>>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin >>>> >> [3] https://www.apache.org/legal/resolved.html >>>> >>>
