geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Blum <jb...@pivotal.io>
Subject Re: Updating dependencies
Date Tue, 13 Feb 2018 16:15:39 GMT
Ever consider inheriting from *Spring Boot's* dependency BOM file [1] by
applying the *Spring *Dependencies Management Gradle Plugin?  The advantage
of plugin over this [2] is that you are guaranteed to get a curated and
harmonized list of *Spring* and 3rd party (transitive) dependencies that
have all been tested and proven to work together.  This is the fundamental
basis for the *Spring IO Platform*. [3]

General guidance can be found here [4], and you may specifically be
interested in this [5].  You can learn more here [6].

-j


[1]
https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#reacting-to-other-plugins-dependency-management
[2]
https://github.com/apache/geode/blob/rel/v1.4.0/gradle/dependency-versions.properties
[3] https://platform.spring.io/platform/
[4]
https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies
[5]
https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies-using-in-isolation
[6]
https://github.com/spring-gradle-plugins/dependency-management-plugin/blob/master/README.md


On Mon, Feb 12, 2018 at 2:14 PM, Mark Bretl <asf.mbretl@gmail.com> wrote:

> OWASP is good too, even has a Gradle plugin [1]
>
> --Mark
>
> [1] https://github.com/jeremylong/dependency-check-gradle
>
> On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker <abaker@pivotal.io> wrote:
>
> >
> >
> > > On Feb 12, 2018, at 12:29 PM, Mark Bretl <asf.mbretl@gmail.com> wrote:
> > >
> > > Late to the game here, as I see this was merged today…
> > >
> >
> > Comments always appreciated :-)
> >
> > > The addition of the Gradle versions plugin is good and hopefully we can
> > go
> > > farther down the path of dependency scanning by adding security as
> well.
> > > Currently, GitHub has this setup for Ruby and JavaScript [1], however
> it
> > is
> > > lacking Java dependencies. Until GitHub can support Java dependencies,
> I
> > > would suggest we look at other tools, such as snyk.io [2], for
> tracking
> > our
> > > dependencies with security vulnerabilities.
> > >
> >
> > dependency-check [1] from OWASP is pretty nice and easy to run
> > automatically in a pipeline.
> >
> > Anthony
> >
> > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check <
> > https://www.owasp.org/index.php/OWASP_Dependency_Check>
> >
> >
> > > --Mark
> > >
> > > [1] https://github.com/blog/2470-introducing-security-alerts-on-github
> > > [2] https://snyk.io/
> > >
> > > On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker <abaker@pivotal.io>
> wrote:
> > >
> > >> Hi all,
> > >>
> > >> I’ve got a PR [1] open that updates lots of dependencies.  Please
> review
> > >> and let me know if you have any concerns.  I’d like to merge it early
> > next
> > >> week barring any objections.
> > >>
> > >> Thanks,
> > >> Anthony
> > >>
> > >> [1] https://github.com/apache/geode/pull/1400 <
> > >> https://github.com/apache/geode/pull/1400>
> > >>
> > >>
> >
> >
>



-- 
-John
john.blum10101 (skype)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message