Stream: wg-secure-code

Topic: Github vuln notifications


Shnatsel (Sep 20 2019 at 11:45, on Zulip):

So somebody's built a thing that parses RustSec and notifies you if your repo is vulnerable: https://blog.firosolutions.com/2019/09/github-rust-firo/

Alex Gaynor (Sep 20 2019 at 11:59, on Zulip):

Doesn't github itself already do this?

Shnatsel (Sep 20 2019 at 17:29, on Zulip):

I'm not sure if Github reads from RustSec, probably not. This does.

Alex Gaynor (Sep 21 2019 at 00:58, on Zulip):

DependaBot is aware of rustsec I think, so I'd expect github's thing does

Tony Arcieri (Sep 23 2019 at 15:38, on Zulip):

I saw that. It looked cool, but I was also curious about Dependabot

Thom Chiovoloni (Sep 23 2019 at 21:33, on Zulip):

Github isn't aware of rustsec yet. Or wasn't ~2 months ago, I haven't checked since then.

Tony Arcieri (Sep 23 2019 at 23:19, on Zulip):

I've talked with people at GitHub about first class support quite a bit. I don't think it's on their roadmap yet, but maybe soon

Last update: Nov 11 2019 at 23:15UTC