[HN Gopher] Vulnerability scanner written in Go that uses osv.de...
___________________________________________________________________
Vulnerability scanner written in Go that uses osv.dev data
Author : GavCo
Score : 116 points
Date : 2022-12-16 16:10 UTC (2 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| dlor wrote:
| This type of friendly tooling is exactly what was missing from
| OSV! I look forward to OSV making it easier to manage and deal
| with vulnerabilities.
| WalterSobchak wrote:
| Blog post: https://security.googleblog.com/2022/12/announcing-
| osv-scann...
| jicea wrote:
| I wasn't aware that Gradle has <<gradle.lockfile>> that describes
| the dependencies tree. Is it used in the Java/Kotlin world?
| ashishbijlani wrote:
| Great to see a developer-friendly tool around OSV! Packj [1] uses
| OSV APIs to report vulnerable PyPI/NPM/Rubygems packages.
| Disclaimer: I built it.
|
| 1. https://github.com/ossillate-inc/packj flags malicious/risky
| packages.
| technics256 wrote:
| This is really helpful to diversify the current oss tools.
|
| Does anyone know good sources for creating a SBOM?
| dlor wrote:
| Depends exactly what you're trying to create it for. I advocate
| for doing it during the build process rather than as a step
| after.
|
| We open sourced a few tools that do it automatically for
| containers:
|
| https://github.com/chainguard-dev/apko
|
| https://github.com/chainguard-dev/melange
| citruscomputing wrote:
| I've used the cyclonedx maven plugin, cyclonedx-bom on pypi,
| cdxgen for js, and cyclonedx-cli for various utilities (e.g.
| merging). All have worked great.
___________________________________________________________________
(page generated 2022-12-18 23:00 UTC)