+1 ! On Fri, May 29, 2020 at 11:32 AM Ankur Goenka <goe...@google.com> wrote:
> +1 for adding it to Python. > We can explore more as to how we can surface the findings as a health > signal. > It will also be good to apply it to our old releases for users to be aware > of. > > > > On Fri, May 29, 2020 at 11:20 AM Luke Cwik <lc...@google.com> wrote: > >> Past work added an audit plugin for Java[1]. I reached out to PyUp and >> they have a free tool to use which can check the set of Python dependencies >> we have for CVE errors. The tool works by scanning a text file of >> dependencies and checking it against a CVE database. There is also support >> for integration with various web based systems which we don't use. There is >> a paid version which gives you the same features but the CVE database you >> get access to is updated more frequently (free = monthly?, paid = daily?). >> >> Has anyone been using the integration for Java added in [1] and has it >> been generally useful? >> Should we try adding PyUp to validate Beam Python's dependencies? >> >> 1: >> https://lists.apache.org/thread.html/a3550051d1b7ce4454c586d1f806cd799a1ccc8776f3857308a2fc09%40%3Cdev.beam.apache.org%3E >> >
