Fork me on GitHub
#clojure-europe
<
2021-02-15
>
ordnungswidrig08:02:45

good monday morning

dharrigan08:02:39

Good Morning!

otfrom09:02:43

thx for the new clj-kondo @borkdude

🎉 3
orestis13:02:45

Morning 🙂

orestis13:02:08

I saw a little birdie on the tree outside my window so I guess spring is coming 😄

orestis18:02:42

Whoo, new M1 Macbook Air arrived today.

metal 3
borkdude18:02:43

@orestis Didn't you already have one?

borkdude18:02:44

Ah, that was you're wife's right? Congrats

orestis18:02:56

Yep. I got the high end to get more space, and a USA keyboard. Now I can put it through the paces a bit more aggressively 🙂

slipset21:02:58

So, wondering about security and CVE’s and such, we decided to see if github could help us. We now generate a pom.xml on each release, and lo and behold, github manages to parse that, and show us what it calls a “Dependency graph”, much like you see here for clj-commons/pomegranate https://github.com/clj-commons/pomegranate/network/dependencies But this doesn’t show transitive dependencies, only the ones that are declared in the pom.xml which is kind’a sucky because the vulnerabilities that we have are in the transitive deps. Anyone have any experience with this or figured out how to make it work?

dominicm21:02:18

@slipset I've not used it, but I think http://libraries.io is good for this stuff.

slipset21:02:22

The thing is that we’ve found all the stuff we need to find by running the nvd plugin for lein,

dominicm21:02:10

ah, so the goal is really for github to be better, rather than anything else.

slipset21:02:24

But Manager wants to have this as a report which he can look at whenever he chooses, so we were hoping that github/dependabot could provide this report to Manager.

slipset21:02:43

instead of me promising to run it once a week and send him an email.

dominicm21:02:01

If you only cared about the github thing (i.e. not using pom.xml for anything else) I could imagine a script which pulled the whole transitive dep list instead and put that in a pom.xml

dominicm21:02:13

You could also just setup a github action though I guess :D

4
slipset21:02:48

Yup, but I was kind’a hoping that github security was a bit more than what it seems to be.

slipset21:02:51

Anyways, good to see you back @dominicm 🙂

dominicm21:02:47

Was it noticed was it 😁. In the new year I decided to step back from the keyboard a little more. I've become a little detached from the real world, side effect of turning my hobby into my career I think. They've been blended together for so long now, it's hard to switch off in the evenings.

slipset21:02:14

Anyways, bed time here.