Haiko Schol
Haiko Schol
Or maybe CVRF? https://www.redhat.com/security/data/cvrf/ and https://access.redhat.com/hydra/rest/securitydata/cvrf.json
Comparing OVAL and CVRF entries for the same RHSA, it seems that CVRF has all the information we need in an easier to consume structure. However, the XML version of...
FWIW, I'm in favor of a submodule in this case. It makes sense to include the spec that the code implements and make sure they are in sync.
I've been looking into this for a few days now. To keep things simple I created two repositories with toy examples that use Bazel: 1. [workspace flavor](https://github.com/haikoschol/bazel-android-py-cc-workspace) 1. [bzlmod flavor](https://github.com/haikoschol/bazel-android-py-cc-bzlmod)...
> To double-check, probably a comparison to the results of https://github.com/snyk-labs/bazel2snyk makes sense, @haikoschol. This tool examines Bazel build targets. That was also my initial intuition, but it turned out...
@re4lfl0w I just set this up and while that blog post was helpful, I had to adjust a few things. The blog post uses an older format for settings. In...
@blaumeiser-at-bosch The TL;DR is that any other runtime code the Go toolchain includes in the binaries that it builds is BSD licensed and copyrighted by "The Go Authors": https://go.dev/LICENSE So...
> `go list -m all` returns the dependencies in the go.sum file as it seems, but there are more dependencies there at least in our project compared to go.mod. The...
> ORT returns only the dependencies found in the go.mod file. I attach the output of `go list -m all here, as I wrote above, some of them when asked...
Microsoft ships quite a bit of OSS code these days. Having said that, I don't know whether this feed makes sense for VulnerableCode. Someone needs to do the research on...