search

cloudfoundry / bosh-package-cf-cli-release

BOSH release of Cloud Foundry CLI
https://github.com/cloudfoundry/cli
Apache License 2.0
8 stars 7 forks source link

add cve scanning #16

Closed Benjamintf1 closed 4 months ago

Benjamintf1 commented 1 year ago

I wasn't sure if it would, but i figured it didn't hurt to check. Seems like it works fine. In fact we're actually getting data(like, 1 vuln) back from it vs the release which is getting nothing.

moleske commented 1 year ago

probably cause the pipeline is scanning the main branch, not v8 or v7 branch. We don't cut releases and I recently reopened dependabot bumps that were closed on main so that the main dependencies actually match what's in v8

moleske commented 1 year ago

might inspire me to take a look again at capi and have it just scan cloud_controller_ng rather than everything

Benjamintf1 commented 1 year ago

Good call, let me edit the pipeline.

Benjamintf1 commented 1 year ago

I mostly say scanning the release seems pointless because the only thing in the release is compiled cli's and I'm not convinced it's scanning the cli's correctly right now.