|
đź‘‹ Olivier, dev at teads |
Note
The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures
goal: give you tips/tools to monitor and fix CVEs
graph LR
A[plugin] -->|generate snapshot| B[plugin]
B -->|publish snapshot| C[github]
C -->|update CVE alerts| C[github]
name: Update Dependency Graph
on:
push:
branches:
- main
jobs:
dependency-graph:
name: Update Dependency Graph
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: scalacenter/sbt-dependency-submission@v2runs in repo actions tab => alerts are in dependabot section in repo security tab
Add to project/plugins.sbt:
addDependencyTreePluginrun in sbt:
dependencyTree
whatDependsOn com.amazonaws aws-java-sdk-core 1.12.148
dependencyBrowseGraph
dependencyBrowseTree
evictedfind artifact deps:
$ coursier resolve com.amazonaws:aws-java-sdk-secretsmanager:1.12.148also useful: mvnrepository.com
addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0")sbt dependencyCheck- generates
target/scala-3.4.2/dependency-check-report.html - WARNINGâš does not give exactly the same results as sbt-dependency-submission
sbt:
githubGenerateSnapshot
githubAnalyzeDependencies alerts
githubAnalyzeDependencies cves
githubAnalyzeDependencies list jackson-databind
githubAnalyzeDependencies get jackson-databind:2.12.3graph LR
A{is it a parent lib?} -->|yes| B[bump it]
A -->|no| C{ can you bump parent? }
C -->|yes| D[bump parent]
C -->|no| E{ is the lib provided\nby another lib?}
E -->|yes| F[exclude lib]
E -->|no| G[override lib]
WARNINGâš be careful in last two cases, there might be incompatibilites
build.sbt:
libraryDependencies ++= Seq(
"com.test.foo" % "my-dummy-lib" % "0.1.0" exclude ("com.blah", "lib-42")
)build.sbt:
// don't need to exclude lib version in sbt
// can update `libraryDependencies`
libraryDependencies ++= Seq("com.blah" % "lib-42" % "0.2.0"),
// or override just a jar
dependencyOverrides ++= Seq("com.blah" % "lib-42" % "0.2.0"),Questions ?