geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Bretl <asf.mbr...@gmail.com>
Subject Re: Updating dependencies
Date Mon, 12 Feb 2018 22:14:12 GMT
OWASP is good too, even has a Gradle plugin [1]

--Mark

[1] https://github.com/jeremylong/dependency-check-gradle

On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker <abaker@pivotal.io> wrote:

>
>
> > On Feb 12, 2018, at 12:29 PM, Mark Bretl <asf.mbretl@gmail.com> wrote:
> >
> > Late to the game here, as I see this was merged today…
> >
>
> Comments always appreciated :-)
>
> > The addition of the Gradle versions plugin is good and hopefully we can
> go
> > farther down the path of dependency scanning by adding security as well.
> > Currently, GitHub has this setup for Ruby and JavaScript [1], however it
> is
> > lacking Java dependencies. Until GitHub can support Java dependencies, I
> > would suggest we look at other tools, such as snyk.io [2], for tracking
> our
> > dependencies with security vulnerabilities.
> >
>
> dependency-check [1] from OWASP is pretty nice and easy to run
> automatically in a pipeline.
>
> Anthony
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check <
> https://www.owasp.org/index.php/OWASP_Dependency_Check>
>
>
> > --Mark
> >
> > [1] https://github.com/blog/2470-introducing-security-alerts-on-github
> > [2] https://snyk.io/
> >
> > On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker <abaker@pivotal.io> wrote:
> >
> >> Hi all,
> >>
> >> I’ve got a PR [1] open that updates lots of dependencies.  Please review
> >> and let me know if you have any concerns.  I’d like to merge it early
> next
> >> week barring any objections.
> >>
> >> Thanks,
> >> Anthony
> >>
> >> [1] https://github.com/apache/geode/pull/1400 <
> >> https://github.com/apache/geode/pull/1400>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message