geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Baker <aba...@pivotal.io>
Subject Re: Updating dependencies
Date Mon, 12 Feb 2018 20:36:27 GMT


> On Feb 12, 2018, at 12:29 PM, Mark Bretl <asf.mbretl@gmail.com> wrote:
> 
> Late to the game here, as I see this was merged today…
> 

Comments always appreciated :-)

> The addition of the Gradle versions plugin is good and hopefully we can go
> farther down the path of dependency scanning by adding security as well.
> Currently, GitHub has this setup for Ruby and JavaScript [1], however it is
> lacking Java dependencies. Until GitHub can support Java dependencies, I
> would suggest we look at other tools, such as snyk.io [2], for tracking our
> dependencies with security vulnerabilities.
> 

dependency-check [1] from OWASP is pretty nice and easy to run automatically in a pipeline.

Anthony

[1] https://www.owasp.org/index.php/OWASP_Dependency_Check <https://www.owasp.org/index.php/OWASP_Dependency_Check>


> --Mark
> 
> [1] https://github.com/blog/2470-introducing-security-alerts-on-github
> [2] https://snyk.io/
> 
> On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker <abaker@pivotal.io> wrote:
> 
>> Hi all,
>> 
>> I’ve got a PR [1] open that updates lots of dependencies.  Please review
>> and let me know if you have any concerns.  I’d like to merge it early next
>> week barring any objections.
>> 
>> Thanks,
>> Anthony
>> 
>> [1] https://github.com/apache/geode/pull/1400 <
>> https://github.com/apache/geode/pull/1400>
>> 
>> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message