+1 for adding it to Python. We can explore more as to how we can surface the findings as a health signal. It will also be good to apply it to our old releases for users to be aware of.
On Fri, May 29, 2020 at 11:20 AM Luke Cwik <[email protected]> wrote: > Past work added an audit plugin for Java[1]. I reached out to PyUp and > they have a free tool to use which can check the set of Python dependencies > we have for CVE errors. The tool works by scanning a text file of > dependencies and checking it against a CVE database. There is also support > for integration with various web based systems which we don't use. There is > a paid version which gives you the same features but the CVE database you > get access to is updated more frequently (free = monthly?, paid = daily?). > > Has anyone been using the integration for Java added in [1] and has it > been generally useful? > Should we try adding PyUp to validate Beam Python's dependencies? > > 1: > https://lists.apache.org/thread.html/a3550051d1b7ce4454c586d1f806cd799a1ccc8776f3857308a2fc09%40%3Cdev.beam.apache.org%3E >
