Closed vitoravelino closed 7 years ago
I have kind of mixed feelings about this:
Maybe @jordimassaguerpla can bring some light here.
If our gems are shipped with patches that cover CVE's then there's nothing to be discussed. I had no idea, that's why I opened this.
I know the issue is closed, but I just wanted to say I think it would be nice to integrate https://snyk.io/ on the Go projects we have.
@vitoravelino : first of all, thanks for checking it :)
The issues you mention do not affect us because we are not vendoring libxslt nor libxml2 but using the system ones, instead. So we are safe.
In general I prefer to use bundler-audit from https://github.com/rubysec which queries an open database and can be run on our CI.
Having issues with dependencies might become a problem in the future. We never know. I thought it would be a good idea since we always try to deliver stable products.
I look around and found three services that do some checks:
They are free for open source projects.
We currently have 3 issues because nokogiri < 1.7.2:
Snyk reported those 3 issues and Hakiri and Deppbot the CVE ones only.
What do you think?