Hi all,
Just to let you know, you can now check the vulnerabilities in libraries by
running gradlew audit --info. It is a
separate task that is not in the dependencies of the build (the normal build
will not fail if there are vulnerabilities
found).When you run it, It gives an output similar to
Hi all,FYI I just submitted a PR (1) to add the CVE audit plugin to the build
as an optional task gradlew audit --info.
[1] https://github.com/apache/beam/pull/8388
Etienne
Le mardi 23 avril 2019 à 17:25 +0200, Etienne Chauchot a écrit :
> Hi,should I merge my branch
>
Hi,should I merge my branch
https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include
this tool to
the build system then ?It will not fail the build but add an audit task to it.
EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit :
> Common Vulnerabilities and
Common Vulnerabilities and Exposures (CVE)
On Fri, Apr 19, 2019 at 10:33 AM Robert Burke wrote:
> Ah! What's CVE stand for then?
>
> Re the PR: Sadly, it's more complicated than that, which I'll explain in
> the PR. Otherwise it would have been done already. It's not too bad if the
> time is
Ah! What's CVE stand for then?
Re the PR: Sadly, it's more complicated than that, which I'll explain in
the PR. Otherwise it would have been done already. It's not too bad if the
time is put in though.
On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik wrote:
> Robert, I believe what is being suggested
Robert, I believe what is being suggested is a tool that integrates into
CVE reports automatically and tells us if we have a dependency with a
security issue (not just whether there is a newer version). Also, there is
a sweet draft PR to add Go modules[1].
1:
If we move to Go Modules, the go.mod file specifies direct dependencies and
versions, and the go.sum file includes checksums of the full transitive set
of dependencies. There's likely going to be a tool for detecting if an
update is possible, if one doesn't exist in the go tooling already.
On
This seems worthwhile IMO.
Ahmet, Pyup[1] is free for open source projects and has an API that allows
for dependency checking. They can scan Github repos automatically it seems
but it may not be compatible with how Apache permissions with Github work.
I'm not sure if there is such a thing for Go.
I want to bring this subject back, any chance we can get this running
in or main repo maybe in a weekly basis like we do for the dependency
reports. It looks totallly worth.
On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay wrote:
>
> Thank you, I agree this is very important. Does anyone know a
Thank you, I agree this is very important. Does anyone know a similar tool
for python and go?
On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot
wrote:
> Hi guys,
>
> I came by this [1] gradle plugin that is a client to the Sonatype OSS
> Index CVE database.
>
> I have set it up here in a branch
Hi guys,
I came by this [1] gradle plugin that is a client to the Sonatype OSS Index CVE
database.
I have set it up here in a branch [2], though the cache is not configured and
the number of requests is limited. It can
be run with "gradle --info audit"
It could be nice to have something like
11 matches
Mail list logo
