You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@beam.apache.org by Ismaël Mejía <ie...@gmail.com> on 2019/04/19 09:31:19 UTC
Re: CVE audit gradle plugin
I want to bring this subject back, any chance we can get this running
in or main repo maybe in a weekly basis like we do for the dependency
reports. It looks totallly worth.
On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
>
> Thank you, I agree this is very important. Does anyone know a similar tool for python and go?
>
> On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <ec...@apache.org> wrote:
>>
>> Hi guys,
>>
>> I came by this [1] gradle plugin that is a client to the Sonatype OSS Index CVE database.
>>
>> I have set it up here in a branch [2], though the cache is not configured and the number of requests is limited. It can be run with "gradle --info audit"
>>
>> It could be nice to have something like this to track the CVEs in the libs we use. I know we have been spammed by libs upgrade automatic requests in the past but CVE are more important IMHO.
>>
>> This plugin is in BSD-3-Clause which is compatible with Apache V2 licence [3]
>>
>> WDYT ?
>>
>> Etienne
>>
>> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
>> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
>> [3] https://www.apache.org/legal/resolved.html
Re: CVE audit gradle plugin
Posted by Etienne Chauchot <ec...@apache.org>.
Hi all,
Just to let you know, you can now check the vulnerabilities in libraries by running gradlew audit --info. It is a
separate task that is not in the dependencies of the build (the normal build will not fail if there are vulnerabilities
found).When you run it, It gives an output similar to mvn dependency:tree with red vulnerability arrow and the build
fails in case of vulnerabilities found. If there is none, the build succeeds.
For now, there is no more than that but it can be included into jenkins. As we did not agree on something, I did not do
the integration.
WDYT?
EtienneLe mercredi 24 avril 2019 à 15:56 +0200, Etienne Chauchot a écrit :
> Hi all,FYI I just submitted a PR (1) to add the CVE audit plugin to the build as an optional task gradlew audit --
> info.
> [1] https://github.com/apache/beam/pull/8388
> Etienne
> Le mardi 23 avril 2019 à 17:25 +0200, Etienne Chauchot a écrit :
> > Hi,should I merge my branch https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include this tool
> > to the build system then ?It will not fail the build but add an audit task to it.
> > EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit :
> > > Common Vulnerabilities and Exposures (CVE)
> > >
> > > On Fri, Apr 19, 2019 at 10:33 AM Robert Burke <ro...@frantil.com> wrote:
> > > > Ah! What's CVE stand for then?
> > > >
> > > > Re the PR: Sadly, it's more complicated than that, which I'll explain in the PR. Otherwise it would have been
> > > > done already. It's not too bad if the time is put in though.
> > > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote:
> > > > > Robert, I believe what is being suggested is a tool that integrates into CVE reports automatically and tells
> > > > > us if we have a dependency with a security issue (not just whether there is a newer version). Also, there is a
> > > > > sweet draft PR to add Go modules[1].
> > > > > 1: https://github.com/apache/beam/pull/8354
> > > > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <ro...@frantil.com> wrote:
> > > > > > If we move to Go Modules, the go.mod file specifies direct dependencies and versions, and the go.sum file
> > > > > > includes checksums of the full transitive set of dependencies. There's likely going to be a tool for
> > > > > > detecting if an update is possible, if one doesn't exist in the go tooling already.
> > > > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
> > > > > > > This seems worthwhile IMO.
> > > > > > > Ahmet, Pyup[1] is free for open source projects and has an API that allows for dependency checking. They
> > > > > > > can scan Github repos automatically it seems but it may not be compatible with how Apache permissions with
> > > > > > > Github work. I'm not sure if there is such a thing for Go.
> > > > > > >
> > > > > > > 1: https://pyup.io/
> > > > > > >
> > > > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
> > > > > > > > I want to bring this subject back, any chance we can get this running
> > > > > > > >
> > > > > > > > in or main repo maybe in a weekly basis like we do for the dependency
> > > > > > > >
> > > > > > > > reports. It looks totallly worth.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
> > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > > Thank you, I agree this is very important. Does anyone know a similar tool for python and go?
> > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <ec...@apache.org> wrote:
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> Hi guys,
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> I came by this [1] gradle plugin that is a client to the Sonatype OSS Index CVE database.
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> I have set it up here in a branch [2], though the cache is not configured and the number of requests
> > > > > > > > is limited. It can be run with "gradle --info audit"
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> It could be nice to have something like this to track the CVEs in the libs we use. I know we have
> > > > > > > > been spammed by libs upgrade automatic requests in the past but CVE are more important IMHO.
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> This plugin is in BSD-3-Clause which is compatible with Apache V2 licence [3]
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> WDYT ?
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> Etienne
> > > > > > > >
> > > > > > > > >>
> > > > > > > >
> > > > > > > > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
> > > > > > > >
> > > > > > > > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
> > > > > > > >
> > > > > > > > >> [3] https://www.apache.org/legal/resolved.html
> > > > > > > >
Re: CVE audit gradle plugin
Posted by Etienne Chauchot <ec...@apache.org>.
Hi all,FYI I just submitted a PR (1) to add the CVE audit plugin to the build as an optional task gradlew audit --info.
[1] https://github.com/apache/beam/pull/8388
Etienne
Le mardi 23 avril 2019 à 17:25 +0200, Etienne Chauchot a écrit :
> Hi,should I merge my branch https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include this tool to
> the build system then ?It will not fail the build but add an audit task to it.
> EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit :
> > Common Vulnerabilities and Exposures (CVE)
> >
> > On Fri, Apr 19, 2019 at 10:33 AM Robert Burke <ro...@frantil.com> wrote:
> > > Ah! What's CVE stand for then?
> > >
> > > Re the PR: Sadly, it's more complicated than that, which I'll explain in the PR. Otherwise it would have been done
> > > already. It's not too bad if the time is put in though.
> > > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote:
> > > > Robert, I believe what is being suggested is a tool that integrates into CVE reports automatically and tells us
> > > > if we have a dependency with a security issue (not just whether there is a newer version). Also, there is a
> > > > sweet draft PR to add Go modules[1].
> > > > 1: https://github.com/apache/beam/pull/8354
> > > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <ro...@frantil.com> wrote:
> > > > > If we move to Go Modules, the go.mod file specifies direct dependencies and versions, and the go.sum file
> > > > > includes checksums of the full transitive set of dependencies. There's likely going to be a tool for detecting
> > > > > if an update is possible, if one doesn't exist in the go tooling already.
> > > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
> > > > > > This seems worthwhile IMO.
> > > > > > Ahmet, Pyup[1] is free for open source projects and has an API that allows for dependency checking. They can
> > > > > > scan Github repos automatically it seems but it may not be compatible with how Apache permissions with
> > > > > > Github work. I'm not sure if there is such a thing for Go.
> > > > > >
> > > > > > 1: https://pyup.io/
> > > > > >
> > > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
> > > > > > > I want to bring this subject back, any chance we can get this running
> > > > > > >
> > > > > > > in or main repo maybe in a weekly basis like we do for the dependency
> > > > > > >
> > > > > > > reports. It looks totallly worth.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
> > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > > Thank you, I agree this is very important. Does anyone know a similar tool for python and go?
> > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <ec...@apache.org> wrote:
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> Hi guys,
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> I came by this [1] gradle plugin that is a client to the Sonatype OSS Index CVE database.
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> I have set it up here in a branch [2], though the cache is not configured and the number of requests is
> > > > > > > limited. It can be run with "gradle --info audit"
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> It could be nice to have something like this to track the CVEs in the libs we use. I know we have been
> > > > > > > spammed by libs upgrade automatic requests in the past but CVE are more important IMHO.
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> This plugin is in BSD-3-Clause which is compatible with Apache V2 licence [3]
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> WDYT ?
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> Etienne
> > > > > > >
> > > > > > > >>
> > > > > > >
> > > > > > > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
> > > > > > >
> > > > > > > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
> > > > > > >
> > > > > > > >> [3] https://www.apache.org/legal/resolved.html
> > > > > > >
Re: CVE audit gradle plugin
Posted by Etienne Chauchot <ec...@apache.org>.
Hi,should I merge my branch https://github.com/echauchot/beam/tree/cve_audit_plugin to master to include this tool to
the build system then ?It will not fail the build but add an audit task to it.
EtienneLe vendredi 19 avril 2019 à 10:54 -0700, Lukasz Cwik a écrit :
> Common Vulnerabilities and Exposures (CVE)
>
> On Fri, Apr 19, 2019 at 10:33 AM Robert Burke <ro...@frantil.com> wrote:
> > Ah! What's CVE stand for then?
> >
> > Re the PR: Sadly, it's more complicated than that, which I'll explain in the PR. Otherwise it would have been done
> > already. It's not too bad if the time is put in though.
> > On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote:
> > > Robert, I believe what is being suggested is a tool that integrates into CVE reports automatically and tells us if
> > > we have a dependency with a security issue (not just whether there is a newer version). Also, there is a sweet
> > > draft PR to add Go modules[1].
> > > 1: https://github.com/apache/beam/pull/8354
> > > On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <ro...@frantil.com> wrote:
> > > > If we move to Go Modules, the go.mod file specifies direct dependencies and versions, and the go.sum file
> > > > includes checksums of the full transitive set of dependencies. There's likely going to be a tool for detecting
> > > > if an update is possible, if one doesn't exist in the go tooling already.
> > > > On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
> > > > > This seems worthwhile IMO.
> > > > > Ahmet, Pyup[1] is free for open source projects and has an API that allows for dependency checking. They can
> > > > > scan Github repos automatically it seems but it may not be compatible with how Apache permissions with Github
> > > > > work. I'm not sure if there is such a thing for Go.
> > > > >
> > > > > 1: https://pyup.io/
> > > > >
> > > > > On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
> > > > > > I want to bring this subject back, any chance we can get this running
> > > > > >
> > > > > > in or main repo maybe in a weekly basis like we do for the dependency
> > > > > >
> > > > > > reports. It looks totallly worth.
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
> > > > > >
> > > > > > >
> > > > > >
> > > > > > > Thank you, I agree this is very important. Does anyone know a similar tool for python and go?
> > > > > >
> > > > > > >
> > > > > >
> > > > > > > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <ec...@apache.org> wrote:
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> Hi guys,
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> I came by this [1] gradle plugin that is a client to the Sonatype OSS Index CVE database.
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> I have set it up here in a branch [2], though the cache is not configured and the number of requests is
> > > > > > limited. It can be run with "gradle --info audit"
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> It could be nice to have something like this to track the CVEs in the libs we use. I know we have been
> > > > > > spammed by libs upgrade automatic requests in the past but CVE are more important IMHO.
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> This plugin is in BSD-3-Clause which is compatible with Apache V2 licence [3]
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> WDYT ?
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> Etienne
> > > > > >
> > > > > > >>
> > > > > >
> > > > > > >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
> > > > > >
> > > > > > >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
> > > > > >
> > > > > > >> [3] https://www.apache.org/legal/resolved.html
> > > > > >
Re: CVE audit gradle plugin
Posted by Lukasz Cwik <lc...@google.com>.
Common Vulnerabilities and Exposures (CVE)
On Fri, Apr 19, 2019 at 10:33 AM Robert Burke <ro...@frantil.com> wrote:
> Ah! What's CVE stand for then?
>
> Re the PR: Sadly, it's more complicated than that, which I'll explain in
> the PR. Otherwise it would have been done already. It's not too bad if the
> time is put in though.
>
> On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote:
>
>> Robert, I believe what is being suggested is a tool that integrates into
>> CVE reports automatically and tells us if we have a dependency with a
>> security issue (not just whether there is a newer version). Also, there is
>> a sweet draft PR to add Go modules[1].
>>
>> 1: https://github.com/apache/beam/pull/8354
>>
>> On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <ro...@frantil.com> wrote:
>>
>>> If we move to Go Modules, the go.mod file specifies direct dependencies
>>> and versions, and the go.sum file includes checksums of the full transitive
>>> set of dependencies. There's likely going to be a tool for detecting if an
>>> update is possible, if one doesn't exist in the go tooling already.
>>>
>>> On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
>>>
>>>> This seems worthwhile IMO.
>>>>
>>>> Ahmet, Pyup[1] is free for open source projects and has an API that
>>>> allows for dependency checking. They can scan Github repos automatically it
>>>> seems but it may not be compatible with how Apache permissions with Github
>>>> work. I'm not sure if there is such a thing for Go.
>>>>
>>>> 1: https://pyup.io/
>>>>
>>>> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
>>>>
>>>>> I want to bring this subject back, any chance we can get this running
>>>>> in or main repo maybe in a weekly basis like we do for the dependency
>>>>> reports. It looks totallly worth.
>>>>>
>>>>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
>>>>> >
>>>>> > Thank you, I agree this is very important. Does anyone know a
>>>>> similar tool for python and go?
>>>>> >
>>>>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <
>>>>> echauchot@apache.org> wrote:
>>>>> >>
>>>>> >> Hi guys,
>>>>> >>
>>>>> >> I came by this [1] gradle plugin that is a client to the Sonatype
>>>>> OSS Index CVE database.
>>>>> >>
>>>>> >> I have set it up here in a branch [2], though the cache is not
>>>>> configured and the number of requests is limited. It can be run with
>>>>> "gradle --info audit"
>>>>> >>
>>>>> >> It could be nice to have something like this to track the CVEs in
>>>>> the libs we use. I know we have been spammed by libs upgrade automatic
>>>>> requests in the past but CVE are more important IMHO.
>>>>> >>
>>>>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2
>>>>> licence [3]
>>>>> >>
>>>>> >> WDYT ?
>>>>> >>
>>>>> >> Etienne
>>>>> >>
>>>>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
>>>>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
>>>>> >> [3] https://www.apache.org/legal/resolved.html
>>>>>
>>>>
Re: CVE audit gradle plugin
Posted by Robert Burke <ro...@frantil.com>.
Ah! What's CVE stand for then?
Re the PR: Sadly, it's more complicated than that, which I'll explain in
the PR. Otherwise it would have been done already. It's not too bad if the
time is put in though.
On Fri, 19 Apr 2019 at 10:17, Lukasz Cwik <lc...@google.com> wrote:
> Robert, I believe what is being suggested is a tool that integrates into
> CVE reports automatically and tells us if we have a dependency with a
> security issue (not just whether there is a newer version). Also, there is
> a sweet draft PR to add Go modules[1].
>
> 1: https://github.com/apache/beam/pull/8354
>
> On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <ro...@frantil.com> wrote:
>
>> If we move to Go Modules, the go.mod file specifies direct dependencies
>> and versions, and the go.sum file includes checksums of the full transitive
>> set of dependencies. There's likely going to be a tool for detecting if an
>> update is possible, if one doesn't exist in the go tooling already.
>>
>> On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
>>
>>> This seems worthwhile IMO.
>>>
>>> Ahmet, Pyup[1] is free for open source projects and has an API that
>>> allows for dependency checking. They can scan Github repos automatically it
>>> seems but it may not be compatible with how Apache permissions with Github
>>> work. I'm not sure if there is such a thing for Go.
>>>
>>> 1: https://pyup.io/
>>>
>>> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
>>>
>>>> I want to bring this subject back, any chance we can get this running
>>>> in or main repo maybe in a weekly basis like we do for the dependency
>>>> reports. It looks totallly worth.
>>>>
>>>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
>>>> >
>>>> > Thank you, I agree this is very important. Does anyone know a similar
>>>> tool for python and go?
>>>> >
>>>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <
>>>> echauchot@apache.org> wrote:
>>>> >>
>>>> >> Hi guys,
>>>> >>
>>>> >> I came by this [1] gradle plugin that is a client to the Sonatype
>>>> OSS Index CVE database.
>>>> >>
>>>> >> I have set it up here in a branch [2], though the cache is not
>>>> configured and the number of requests is limited. It can be run with
>>>> "gradle --info audit"
>>>> >>
>>>> >> It could be nice to have something like this to track the CVEs in
>>>> the libs we use. I know we have been spammed by libs upgrade automatic
>>>> requests in the past but CVE are more important IMHO.
>>>> >>
>>>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2
>>>> licence [3]
>>>> >>
>>>> >> WDYT ?
>>>> >>
>>>> >> Etienne
>>>> >>
>>>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
>>>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
>>>> >> [3] https://www.apache.org/legal/resolved.html
>>>>
>>>
Re: CVE audit gradle plugin
Posted by Lukasz Cwik <lc...@google.com>.
Robert, I believe what is being suggested is a tool that integrates into
CVE reports automatically and tells us if we have a dependency with a
security issue (not just whether there is a newer version). Also, there is
a sweet draft PR to add Go modules[1].
1: https://github.com/apache/beam/pull/8354
On Fri, Apr 19, 2019 at 10:12 AM Robert Burke <ro...@frantil.com> wrote:
> If we move to Go Modules, the go.mod file specifies direct dependencies
> and versions, and the go.sum file includes checksums of the full transitive
> set of dependencies. There's likely going to be a tool for detecting if an
> update is possible, if one doesn't exist in the go tooling already.
>
> On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
>
>> This seems worthwhile IMO.
>>
>> Ahmet, Pyup[1] is free for open source projects and has an API that
>> allows for dependency checking. They can scan Github repos automatically it
>> seems but it may not be compatible with how Apache permissions with Github
>> work. I'm not sure if there is such a thing for Go.
>>
>> 1: https://pyup.io/
>>
>> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
>>
>>> I want to bring this subject back, any chance we can get this running
>>> in or main repo maybe in a weekly basis like we do for the dependency
>>> reports. It looks totallly worth.
>>>
>>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
>>> >
>>> > Thank you, I agree this is very important. Does anyone know a similar
>>> tool for python and go?
>>> >
>>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <ec...@apache.org>
>>> wrote:
>>> >>
>>> >> Hi guys,
>>> >>
>>> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS
>>> Index CVE database.
>>> >>
>>> >> I have set it up here in a branch [2], though the cache is not
>>> configured and the number of requests is limited. It can be run with
>>> "gradle --info audit"
>>> >>
>>> >> It could be nice to have something like this to track the CVEs in the
>>> libs we use. I know we have been spammed by libs upgrade automatic requests
>>> in the past but CVE are more important IMHO.
>>> >>
>>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2
>>> licence [3]
>>> >>
>>> >> WDYT ?
>>> >>
>>> >> Etienne
>>> >>
>>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
>>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
>>> >> [3] https://www.apache.org/legal/resolved.html
>>>
>>
Re: CVE audit gradle plugin
Posted by Robert Burke <ro...@frantil.com>.
If we move to Go Modules, the go.mod file specifies direct dependencies and
versions, and the go.sum file includes checksums of the full transitive set
of dependencies. There's likely going to be a tool for detecting if an
update is possible, if one doesn't exist in the go tooling already.
On Fri, 19 Apr 2019 at 09:44, Lukasz Cwik <lc...@google.com> wrote:
> This seems worthwhile IMO.
>
> Ahmet, Pyup[1] is free for open source projects and has an API that allows
> for dependency checking. They can scan Github repos automatically it seems
> but it may not be compatible with how Apache permissions with Github work.
> I'm not sure if there is such a thing for Go.
>
> 1: https://pyup.io/
>
> On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
>
>> I want to bring this subject back, any chance we can get this running
>> in or main repo maybe in a weekly basis like we do for the dependency
>> reports. It looks totallly worth.
>>
>> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
>> >
>> > Thank you, I agree this is very important. Does anyone know a similar
>> tool for python and go?
>> >
>> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <ec...@apache.org>
>> wrote:
>> >>
>> >> Hi guys,
>> >>
>> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS
>> Index CVE database.
>> >>
>> >> I have set it up here in a branch [2], though the cache is not
>> configured and the number of requests is limited. It can be run with
>> "gradle --info audit"
>> >>
>> >> It could be nice to have something like this to track the CVEs in the
>> libs we use. I know we have been spammed by libs upgrade automatic requests
>> in the past but CVE are more important IMHO.
>> >>
>> >> This plugin is in BSD-3-Clause which is compatible with Apache V2
>> licence [3]
>> >>
>> >> WDYT ?
>> >>
>> >> Etienne
>> >>
>> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
>> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
>> >> [3] https://www.apache.org/legal/resolved.html
>>
>
Re: CVE audit gradle plugin
Posted by Lukasz Cwik <lc...@google.com>.
This seems worthwhile IMO.
Ahmet, Pyup[1] is free for open source projects and has an API that allows
for dependency checking. They can scan Github repos automatically it seems
but it may not be compatible with how Apache permissions with Github work.
I'm not sure if there is such a thing for Go.
1: https://pyup.io/
On Fri, Apr 19, 2019 at 2:31 AM Ismaël Mejía <ie...@gmail.com> wrote:
> I want to bring this subject back, any chance we can get this running
> in or main repo maybe in a weekly basis like we do for the dependency
> reports. It looks totallly worth.
>
> On Fri, Mar 1, 2019 at 2:05 AM Ahmet Altay <al...@google.com> wrote:
> >
> > Thank you, I agree this is very important. Does anyone know a similar
> tool for python and go?
> >
> > On Thu, Feb 28, 2019 at 8:26 AM Etienne Chauchot <ec...@apache.org>
> wrote:
> >>
> >> Hi guys,
> >>
> >> I came by this [1] gradle plugin that is a client to the Sonatype OSS
> Index CVE database.
> >>
> >> I have set it up here in a branch [2], though the cache is not
> configured and the number of requests is limited. It can be run with
> "gradle --info audit"
> >>
> >> It could be nice to have something like this to track the CVEs in the
> libs we use. I know we have been spammed by libs upgrade automatic requests
> in the past but CVE are more important IMHO.
> >>
> >> This plugin is in BSD-3-Clause which is compatible with Apache V2
> licence [3]
> >>
> >> WDYT ?
> >>
> >> Etienne
> >>
> >> [1] https://github.com/OSSIndex/ossindex-gradle-plugin
> >> [2] https://github.com/echauchot/beam/tree/cve_audit_plugin
> >> [3] https://www.apache.org/legal/resolved.html
>