[HN Gopher] Vulnerability scanner written in Go that uses osv.de... ___________________________________________________________________ Vulnerability scanner written in Go that uses osv.dev data Author : GavCo Score : 116 points Date : 2022-12-16 16:10 UTC (2 days ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | dlor wrote: | This type of friendly tooling is exactly what was missing from | OSV! I look forward to OSV making it easier to manage and deal | with vulnerabilities. | WalterSobchak wrote: | Blog post: https://security.googleblog.com/2022/12/announcing- | osv-scann... | jicea wrote: | I wasn't aware that Gradle has <<gradle.lockfile>> that describes | the dependencies tree. Is it used in the Java/Kotlin world? | ashishbijlani wrote: | Great to see a developer-friendly tool around OSV! Packj [1] uses | OSV APIs to report vulnerable PyPI/NPM/Rubygems packages. | Disclaimer: I built it. | | 1. https://github.com/ossillate-inc/packj flags malicious/risky | packages. | technics256 wrote: | This is really helpful to diversify the current oss tools. | | Does anyone know good sources for creating a SBOM? | dlor wrote: | Depends exactly what you're trying to create it for. I advocate | for doing it during the build process rather than as a step | after. | | We open sourced a few tools that do it automatically for | containers: | | https://github.com/chainguard-dev/apko | | https://github.com/chainguard-dev/melange | citruscomputing wrote: | I've used the cyclonedx maven plugin, cyclonedx-bom on pypi, | cdxgen for js, and cyclonedx-cli for various utilities (e.g. | merging). All have worked great. ___________________________________________________________________ (page generated 2022-12-18 23:00 UTC)