Ever consider inheriting from *Spring Boot's* dependency BOM file [1] by applying the *Spring *Dependencies Management Gradle Plugin? The advantage of plugin over this [2] is that you are guaranteed to get a curated and harmonized list of *Spring* and 3rd party (transitive) dependencies that have all been tested and proven to work together. This is the fundamental basis for the *Spring IO Platform*. [3]
General guidance can be found here [4], and you may specifically be interested in this [5]. You can learn more here [6]. -j [1] https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#reacting-to-other-plugins-dependency-management [2] https://github.com/apache/geode/blob/rel/v1.4.0/gradle/dependency-versions.properties [3] https://platform.spring.io/platform/ [4] https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies [5] https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies-using-in-isolation [6] https://github.com/spring-gradle-plugins/dependency-management-plugin/blob/master/README.md On Mon, Feb 12, 2018 at 2:14 PM, Mark Bretl <asf.mbr...@gmail.com> wrote: > OWASP is good too, even has a Gradle plugin [1] > > --Mark > > [1] https://github.com/jeremylong/dependency-check-gradle > > On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker <aba...@pivotal.io> wrote: > > > > > > > > On Feb 12, 2018, at 12:29 PM, Mark Bretl <asf.mbr...@gmail.com> wrote: > > > > > > Late to the game here, as I see this was merged today… > > > > > > > Comments always appreciated :-) > > > > > The addition of the Gradle versions plugin is good and hopefully we can > > go > > > farther down the path of dependency scanning by adding security as > well. > > > Currently, GitHub has this setup for Ruby and JavaScript [1], however > it > > is > > > lacking Java dependencies. Until GitHub can support Java dependencies, > I > > > would suggest we look at other tools, such as snyk.io [2], for > tracking > > our > > > dependencies with security vulnerabilities. > > > > > > > dependency-check [1] from OWASP is pretty nice and easy to run > > automatically in a pipeline. > > > > Anthony > > > > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check < > > https://www.owasp.org/index.php/OWASP_Dependency_Check> > > > > > > > --Mark > > > > > > [1] https://github.com/blog/2470-introducing-security-alerts-on-github > > > [2] https://snyk.io/ > > > > > > On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker <aba...@pivotal.io> > wrote: > > > > > >> Hi all, > > >> > > >> I’ve got a PR [1] open that updates lots of dependencies. Please > review > > >> and let me know if you have any concerns. I’d like to merge it early > > next > > >> week barring any objections. > > >> > > >> Thanks, > > >> Anthony > > >> > > >> [1] https://github.com/apache/geode/pull/1400 < > > >> https://github.com/apache/geode/pull/1400> > > >> > > >> > > > > > -- -John john.blum10101 (skype)
