Suggestion: Use a free commercial open source dependency security tool on Accumulo

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Suggestion: Use a free commercial open source dependency security tool on Accumulo

Dave Wichers
I previously provided feedback to the [hidden email] list
about use of known vulnerable dependencies in Accumulo.

I'd like to recommend the project experiment with and then adopt use of one
of the free for open source commercial tools.

I've been using these two:

   - https://snyk.io/test - Free forever for open source
   - https://www.sourceclear.com - 30 day trial only - unfortunately

Sonatype is working on a free for open source capability, but it is still
under development.

There is of course OWASP Dependency Check, which I understand the project
is using already, but Snyk in my experience is WAY better.

GitHub itself has tools for doing this per:
https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository/.
But apparently it only supports Ruby GEMS and Node.js as you can see here:
https://github.com/apache/accumulo/network/dependencies. As such, this
won't help Accumulo until they add Java support.

So, for now, unless someone finds something else (or better), I'd recommend
Snyk.

I'd also recommend trying out: https://dependabot.com/ - This free tool can
automatically generate pull requests for your project each time it
identifies when an upgrade to any component your project uses becomes
available. It supports TONS of languages, including Java.

I'd like to work with you on this and/or get your feedback on what
works/doesn't work, how to make their use easier/etc.

-Dave
Reply | Threaded
Open this post in threaded view
|

Re: Suggestion: Use a free commercial open source dependency security tool on Accumulo

Mike Miller-2
Hey Dave - I pointed Snyk at Accumulo's github repo using the link [1] you
provided and it claimed we have 0 Vulnerabilities via 0 paths.  It doesn't
look like it actually did a scan of our repo since the page returned
instantly with those results.  They do provide the Markup to put the 0
vulnerabilities badge in our README though... so I guess we can?  Also Snyk
has another page that asks for github permissions that seem rather
extraneous.  I stopped here because I did not want to give them permissions
to write code to my repos.

[1] https://snyk.io/test

On Wed, Aug 29, 2018 at 1:56 PM Dave Wichers <[hidden email]> wrote:

> I previously provided feedback to the [hidden email] list
> about use of known vulnerable dependencies in Accumulo.
>
> I'd like to recommend the project experiment with and then adopt use of one
> of the free for open source commercial tools.
>
> I've been using these two:
>
>    - https://snyk.io/test - Free forever for open source
>    - https://www.sourceclear.com - 30 day trial only - unfortunately
>
> Sonatype is working on a free for open source capability, but it is still
> under development.
>
> There is of course OWASP Dependency Check, which I understand the project
> is using already, but Snyk in my experience is WAY better.
>
> GitHub itself has tools for doing this per:
>
> https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository/
> .
> But apparently it only supports Ruby GEMS and Node.js as you can see here:
> https://github.com/apache/accumulo/network/dependencies. As such, this
> won't help Accumulo until they add Java support.
>
> So, for now, unless someone finds something else (or better), I'd recommend
> Snyk.
>
> I'd also recommend trying out: https://dependabot.com/ - This free tool
> can
> automatically generate pull requests for your project each time it
> identifies when an upgrade to any component your project uses becomes
> available. It supports TONS of languages, including Java.
>
> I'd like to work with you on this and/or get your feedback on what
> works/doesn't work, how to make their use easier/etc.
>
> -Dave
>