clojure-europe

For people in Europe... or elsewhere... UGT https://indieweb.org/Universal_Greeting_Time
slipset 2021-02-15T07:10:06.399600Z

morning

thomas 2021-02-15T08:01:54.399800Z

morning

djm 2021-02-15T08:09:35.400Z

👋

ordnungswidrig 2021-02-15T08:27:45.400200Z

good monday morning

borkdude 2021-02-15T08:39:46.400400Z

morning!

dharrigan 2021-02-15T08:52:39.400600Z

Good Morning!

javahippie 2021-02-15T08:55:11.400900Z

Morning!

anthony-galea 2021-02-15T09:13:06.401100Z

mornin

2021-02-15T09:14:34.401300Z

morning

2021-02-15T09:14:43.401600Z

thx for the new clj-kondo @borkdude

🎉 1
orestis 2021-02-15T13:07:45.401900Z

Morning 🙂

orestis 2021-02-15T13:08:08.402300Z

I saw a little birdie on the tree outside my window so I guess spring is coming 😄

jasonbell 2021-02-15T13:28:42.402500Z

Morning

dominicm 2021-02-15T15:02:50.402700Z

Morning

orestis 2021-02-15T18:15:42.403Z

Whoo, new M1 Macbook Air arrived today.

🤘 1
borkdude 2021-02-15T18:37:43.403200Z

@orestis Didn't you already have one?

borkdude 2021-02-15T18:38:44.403500Z

Ah, that was you're wife's right? Congrats

orestis 2021-02-15T18:39:56.404Z

Yep. I got the high end to get more space, and a USA keyboard. Now I can put it through the paces a bit more aggressively 🙂

slipset 2021-02-15T21:31:58.407200Z

So, wondering about security and CVE’s and such, we decided to see if github could help us. We now generate a pom.xml on each release, and lo and behold, github manages to parse that, and show us what it calls a “Dependency graph”, much like you see here for clj-commons/pomegranate https://github.com/clj-commons/pomegranate/network/dependencies But this doesn’t show transitive dependencies, only the ones that are declared in the pom.xml which is kind’a sucky because the vulnerabilities that we have are in the transitive deps. Anyone have any experience with this or figured out how to make it work?

dominicm 2021-02-15T21:39:18.407300Z

@slipset I've not used it, but I think http://libraries.io is good for this stuff.

slipset 2021-02-15T21:43:22.408100Z

The thing is that we’ve found all the stuff we need to find by running the nvd plugin for lein,

slipset 2021-02-15T21:43:23.408300Z

https://github.com/rm-hull/lein-nvd

dominicm 2021-02-15T21:44:10.409400Z

ah, so the goal is really for github to be better, rather than anything else.

slipset 2021-02-15T21:44:24.409700Z

But Manager wants to have this as a report which he can look at whenever he chooses, so we were hoping that github/dependabot could provide this report to Manager.

slipset 2021-02-15T21:44:43.410100Z

instead of me promising to run it once a week and send him an email.

dominicm 2021-02-15T21:45:01.410200Z

If you only cared about the github thing (i.e. not using pom.xml for anything else) I could imagine a script which pulled the whole transitive dep list instead and put that in a pom.xml

dominicm 2021-02-15T21:45:13.410300Z

You could also just setup a github action though I guess :D

1
slipset 2021-02-15T21:45:48.410800Z

Yup, but I was kind’a hoping that github security was a bit more than what it seems to be.

slipset 2021-02-15T21:46:51.411200Z

Anyways, good to see you back @dominicm 🙂

dominicm 2021-02-15T21:47:47.411300Z

Was it noticed was it 😁. In the new year I decided to step back from the keyboard a little more. I've become a little detached from the real world, side effect of turning my hobby into my career I think. They've been blended together for so long now, it's hard to switch off in the evenings.

slipset 2021-02-15T21:49:05.411500Z

🙂

slipset 2021-02-15T21:49:14.411800Z

Anyways, bed time here.