Interesting idea. I’m also looking at https://github.com/nebula-plugins/gradle-dependency-lock-plugin <https://github.com/nebula-plugins/gradle-dependency-lock-plugin>.
Anthony > On Feb 13, 2018, at 8:15 AM, John Blum <jb...@pivotal.io> wrote: > > Ever consider inheriting from *Spring Boot's* dependency BOM file [1] by > applying the *Spring *Dependencies Management Gradle Plugin? The advantage > of plugin over this [2] is that you are guaranteed to get a curated and > harmonized list of *Spring* and 3rd party (transitive) dependencies that > have all been tested and proven to work together. This is the fundamental > basis for the *Spring IO Platform*. [3] > > General guidance can be found here [4], and you may specifically be > interested in this [5]. You can learn more here [6]. > > -j > > > [1] > https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#reacting-to-other-plugins-dependency-management > [2] > https://github.com/apache/geode/blob/rel/v1.4.0/gradle/dependency-versions.properties > [3] https://platform.spring.io/platform/ > [4] > https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies > [5] > https://docs.spring.io/spring-boot/docs/2.0.0.RC1/gradle-plugin/reference/html/#managing-dependencies-using-in-isolation > [6] > https://github.com/spring-gradle-plugins/dependency-management-plugin/blob/master/README.md > > > On Mon, Feb 12, 2018 at 2:14 PM, Mark Bretl <asf.mbr...@gmail.com> wrote: > >> OWASP is good too, even has a Gradle plugin [1] >> >> --Mark >> >> [1] https://github.com/jeremylong/dependency-check-gradle >> >> On Mon, Feb 12, 2018 at 12:36 PM, Anthony Baker <aba...@pivotal.io> wrote: >> >>> >>> >>>> On Feb 12, 2018, at 12:29 PM, Mark Bretl <asf.mbr...@gmail.com> wrote: >>>> >>>> Late to the game here, as I see this was merged today… >>>> >>> >>> Comments always appreciated :-) >>> >>>> The addition of the Gradle versions plugin is good and hopefully we can >>> go >>>> farther down the path of dependency scanning by adding security as >> well. >>>> Currently, GitHub has this setup for Ruby and JavaScript [1], however >> it >>> is >>>> lacking Java dependencies. Until GitHub can support Java dependencies, >> I >>>> would suggest we look at other tools, such as snyk.io [2], for >> tracking >>> our >>>> dependencies with security vulnerabilities. >>>> >>> >>> dependency-check [1] from OWASP is pretty nice and easy to run >>> automatically in a pipeline. >>> >>> Anthony >>> >>> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check < >>> https://www.owasp.org/index.php/OWASP_Dependency_Check> >>> >>> >>>> --Mark >>>> >>>> [1] https://github.com/blog/2470-introducing-security-alerts-on-github >>>> [2] https://snyk.io/ >>>> >>>> On Fri, Feb 9, 2018 at 4:06 PM, Anthony Baker <aba...@pivotal.io> >> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I’ve got a PR [1] open that updates lots of dependencies. Please >> review >>>>> and let me know if you have any concerns. I’d like to merge it early >>> next >>>>> week barring any objections. >>>>> >>>>> Thanks, >>>>> Anthony >>>>> >>>>> [1] https://github.com/apache/geode/pull/1400 < >>>>> https://github.com/apache/geode/pull/1400> >>>>> >>>>> >>> >>> >> > > > > -- > -John > john.blum10101 (skype)
