Past work added an audit plugin for Java[1]. I reached out to PyUp and they have a free tool to use which can check the set of Python dependencies we have for CVE errors. The tool works by scanning a text file of dependencies and checking it against a CVE database. There is also support for integration with various web based systems which we don't use. There is a paid version which gives you the same features but the CVE database you get access to is updated more frequently (free = monthly?, paid = daily?).
Has anyone been using the integration for Java added in [1] and has it been generally useful? Should we try adding PyUp to validate Beam Python's dependencies? 1: https://lists.apache.org/thread.html/a3550051d1b7ce4454c586d1f806cd799a1ccc8776f3857308a2fc09%40%3Cdev.beam.apache.org%3E
