Hi all,FYI I just submitted a PR (1) to add the CVE audit plugin to the build
as an optional task gradlew audit --info.
[1] https://github.com/apache/beam/pull/8388
Etienne
Le mardi 23 avril 2019 à 17:25 +0200, Etienne Chauchot a écrit :
> Hi,should I merge my branch
> https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include
> this tool to
> the build system then ?It will not fail the build but add an audit task to it.
> EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit :
> > Common Vulnerabilities and Exposures (CVE)
> >
> > On Fri, Apr 19, 2019 at 10:33 AM Robert Burke <rob...@frantil.com> wrote:
> > > Ah! What's CVE stand for then?
> > >
> > > Re the PR: Sadly, it's more complicated than that, which I'll explain in
> > > the PR. Otherwise it would have been done
> > > already. It's not too bad if the time is put in though.
> > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote:
> > > > Robert, I believe what is being suggested is a tool that integrates
> > > > into CVE reports automatically and tells us
> > > > if we have a dependency with a security issue (not just whether there
> > > > is a newer version). Also, there is a
> > > > sweet draft PR to add Go modules[1].
> > > > 1: https://github.com/apache/beam/pull/8354
> > > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <rob...@frantil.com>
> > > > wrote:
> > > > > If we move to Go Modules, the go.mod file specifies direct
> > > > > dependencies and versions, and the go.sum file
> > > > > includes checksums of the full transitive set of dependencies.
> > > > > There's likely going to be a tool for detecting
> > > > > if an update is possible, if one doesn't exist in the go tooling
> > > > > already.
> > > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
> > > > > > This seems worthwhile IMO.
> > > > > > Ahmet, Pyup[1] is free for open source projects and has an API that
> > > > > > allows for dependency checking. They can
> > > > > > scan Github repos automatically it seems but it may not be
> > > > > > compatible with how Apache permissions with
> > > > > > Github work. I'm not sure if there is such a thing for Go.
> > > > > >
> > > > > > 1: https://pyup.io/
> > > > > >
> > > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ieme...@gmail.com>
> > > > > > wrote:
> > > > > > > I want to bring this subject back, any chance we can get this
> > > > > > > running
> > > > > > >
> > > > > > > in or main repo maybe in a weekly basis like we do for the
> > > > > > > dependency
> > > > > > >
> > > > > > > reports. It looks totallly worth.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > > Thank you, I agree this is very important. Does anyone know a
> > > > > > > > similar tool for python and go?
> > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot
> > > > > > > > <echauc...@apache.org> wrote:
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> Hi guys,
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> I came by this [1] gradle plugin that is a client to the
> > > > > > > >> Sonatype OSS Index CVE database.
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> I have set it up here in a branch [2], though the cache is not
> > > > > > > >> configured and the number of requests is
> > > > > > > limited. It can be run with "gradle --info audit"
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> It could be nice to have something like this to track the CVEs
> > > > > > > >> in the libs we use. I know we have been
> > > > > > > spammed by libs upgrade automatic requests in the past but CVE
> > > > > > > are more important IMHO.
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> This plugin is in BSD-3-Clause which is compatible with Apache
> > > > > > > >> V2 licence [3]
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> WDYT ?
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> Etienne
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
> > > > > > >
> > > > > > > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
> > > > > > >
> > > > > > > >> [3] https://www.apache.org/legal/resolved.html
> > > > > > >
