Great article, Joy! I'm starting to work on automated vulnerabilities scanning in our CI/CD pipeline. The detection with the software of the leading vendors seems pretty good already, but I want to go one step further: whenever a vulnerability is found in an open source dependency I want to upgrade the dependency automatically (e.g. in package.json or pom.xml), check if the build and tests run successfully and open a PR. So that a developer (or maintainer) can release a fixed version with just one click.
Do you have a tool recommendation for that matter?
Just one more thing regarding your article. I don't understand the following part:
Open source software comes with a license that allows the source code to be used, modified, or shared under defined guidelines. However, the problem with these licenses is that most of them donβt meet the stringent OSI and SPDX definitions of open source.
My impression is that open source software licenses are highly standardised, more than 90% of it meet the OSI and SPDX definitions - which is pretty easy, since all of the popular licenses are approved open source licenses by both of them: Apache License, BSD (the new one and the old one), GPL, LGPL, MIT, Mozilla. The full lists of OSI and SPDX are much longer. SPDX even contains the "Beerware License". π€£
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Great article, Joy! I'm starting to work on automated vulnerabilities scanning in our CI/CD pipeline. The detection with the software of the leading vendors seems pretty good already, but I want to go one step further: whenever a vulnerability is found in an open source dependency I want to upgrade the dependency automatically (e.g. in package.json or pom.xml), check if the build and tests run successfully and open a PR. So that a developer (or maintainer) can release a fixed version with just one click.
Do you have a tool recommendation for that matter?
Just one more thing regarding your article. I don't understand the following part:
My impression is that open source software licenses are highly standardised, more than 90% of it meet the OSI and SPDX definitions - which is pretty easy, since all of the popular licenses are approved open source licenses by both of them: Apache License, BSD (the new one and the old one), GPL, LGPL, MIT, Mozilla. The full lists of OSI and SPDX are much longer. SPDX even contains the "Beerware License". π€£