Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Nathan Zender
    @zendern
    We support exclusion of vulnerability either by CVE-ID (ex: CVE-2018-20303) or via the OSS Index ID (ex: a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14) as not all vulnerabilities have a CVE-ID.
    Jeffry Hesse
    @DarthHater
    Yep, just gotta use the CVE title or the OSS Index ID
    Jeffry Hesse
    @DarthHater
    You do raise a bit of a good point though, ignoring a CVE is a bit nuclear at the moment. It might be cool to allow someone to only ignore it if it's in a certain package? I've never been clear myself if CVE is 1:1 with a library or if it can be applied to multiple libraries.
    Go mod also doesn't give incredible insight into if something is a dev Dependency at the moment (I think it would be neat if it did)
    Nathan Zender
    @zendern
    Might be a decent thought to add to Nancy. A shortcut of I know this is a test dep only so exclude everything forever
    Go mod will probably give us a way eventually to only scan prod deps but until then
    islippers
    @islippers
    Thanks for the quick response guys. Ahh, monkey see.. But then ALL my external dependencies would be excluded for that particular CVE-ID?
    Jeffry Hesse
    @DarthHater
    Yeah, that's the caveat @islippers
    Which I think is more or less ok?
    We have paid tooling that let's you get more granular (Nexus IQ Server)
    Where you wouldn't exclude by CVE, you'd get a waiver for a specific library/version
    Jeffry Hesse
    @DarthHater
    @fitzoh 386 happens to the best of us
    Andrew Fitzgerald
    @fitzoh
    /giphy shame
    Nathan Zender
    @zendern
    :wink:
    Andrew Fitzgerald
    @fitzoh
    :point_up:
    So I've got a WIP version that replaces badger with SQLite
    Biggest question mark is cross-compilation, not sure if the C stuff makes that any trickier: http://mattn.github.io/go-sqlite3/
    (see FAQ on cross-compilation)
    Jeffry Hesse
    @DarthHater
    @fitzoh that rules
    Jeffry Hesse
    @DarthHater
    @zendern this went live today, props to @bhamail https://dev.to/sonatype/secure-your-golang-projects-using-nancy-5fk5
    Nathan Zender
    @zendern
    ❤️❤️❤️
    Andrew Fitzgerald
    @fitzoh
    So what are y'all's preferences regarding check granularity
    For instance, @DarthHater 's license check PR is failing with this message:ci/circleci: build — Your tests failed on CircleCI
    Nathan Zender
    @zendern
    @fitzoh eh.... I'd ask how easy is it to do in circleci first. Like if we wanted lint, test, license, integration test , etc.... are we just talking individual jobs unlike our one big one now??
    Jeffry Hesse
    @DarthHater
    It would be nice if it gave more useful feedback, for sure
    Jeffry Hesse
    @DarthHater
    Also welcome @protoworlock69 to gitter! This is one of my interns I'm teaching Golang too. @zendern thanks for getting Dahlia the approval on that PR!
    Dahlia (and a slew of others) are learning to code from me right now (big mistake, right?) so if any of you want to help out, I figured I'd intro them as they join
    @zendern @fitzoh , I've been talking with @nblair and when I looked deeper at Google's Addlicense, it actually doesn't have a pattern google/addlicense#38
    Which means, dun dun dun, we could go implement it!
    It's funny that it's in the docs
    Jeffry Hesse
    @DarthHater
    @fitzoh @zendern I'm gonna kill badger today
    Or attempt to
    I seem to remember @fitzoh saying he had a branch in motion to do that?
    Jeffry Hesse
    @DarthHater
    LOL I kinda wanna use this:
    Just because it says this in the README
    Author of project don't work at Google or Facebook and his name not Howard Chu or Brad Fitzpatrick. But I'm open for issue or contributions.
    Nathan Zender
    @zendern
    lol...but thats in the Disadvantages :laughing: :laughing:
    Andrew Fitzgerald
    @fitzoh
    nice
    Nathan Zender
    @zendern
    I'm fine with whatever but if @fitzoh is already deep into sqllite....id say kind up to him
    I'm not attached to anything
    Jeffry Hesse
    @DarthHater
    Lemme see if I can latch on to what you did
    Andrew Fitzgerald
    @fitzoh
    there are still open questions on how the cgo stuff looks w/ multi-platform
    Jeffry Hesse
    @DarthHater
    Yeah that scares me
    Nathan Zender
    @zendern
    @fitzoh in that WIP do you deal with TTL anywhere?? am i just missing it??
    Andrew Fitzgerald
    @fitzoh
    not really
    that was next on the list
    this was the start of that effort:
    func purgeExpiredEntries(db *sql.DB) error{
        db.Exec("DELETE FROM nancy_cache WHERE insert_time < ?", )
    }