Closed BraisGabin closed 5 months ago
It's scary the list of dependencies that this simple project has: https://github.com/detekt/sarif4k/network/dependencies
I think for this to be as useful as #90 was, an admin (@BraisGabin @cortinico @chao2zhang?) has to press a button somewhere here:
because this page is empty: https://github.com/detekt/sarif4k/security/dependabot
Compare with detekt.
Done, now it isn't empty.
"Great"... thanks.
And now it's empty. I must say that handle this kind of vulnerabilities is a PITA. It's completely different a vulnerability on gradle than a vulnerability that we introduce on the artifact that we release.
It doesn't mean we're providing vulnerable code, it means WE (our CI and our local machines) ARE vulnerable. We actually use XML because Gradle parses POM files. There's nothing we can do about this though other than report it to Gradle and keep it up to date.
https://github.com/gradle/actions/blob/v3.0.0/dependency-submission/README.md#general-usage
Also from the README:
(This is basically a cherry-pick from this PR: https://github.com/detekt/detekt/pull/6933)