https://bugzilla.wikimedia.org/show_bug.cgi?id=72193
--- Comment #1 from Antoine "hashar" Musso (WMF) <[email protected]> --- I like the principle :-D The database of CVE is at: https://github.com/sensiolabs/security-advisories which provides a small utility to validate the YAML based format. It is lacking a contributing license though. I am not a huge fan of depending on a third party API and the above repository is missing the code to validate a composer.lock against the database. But that should be trivial to reimplement. We would probably want to have a daily run against all repositories maintained branches and produce a report. So a summary a possible .plan would be: - fill an issue to have the repository content under a free license - implement an utility that reads a composer.lock and match it against the security repo - figure out a database of repos / branch we want to run the utility against - Jenkins can daily run it on all repositories as well as on patch proposal (via the existing composer-validate job). -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
