We just tried the new Dependency Submission Action, seems very nice!

Thanks for the feedback @Simon Kågedal Reimer

For folks joining this channel, here are some useful links: • Guide to Resolving a Dependency Vulnerability: it's sometimes tricky to work out why a dependency is appearing in your project. This is a guide to working out what's bringing it in, and how to fix it. • A project demonstrating the use of `dependency-submission` with some examples of dependency vulnerabilities. Fork this project and follow the guide to fixing some real-world vulnerabilities. • Frequently asked questions about

dependency-submission

Contiene!

GitHub Universe CFPs are open until the end of the week. https://githubuniverse.com/

Hi, we've just started using the dependency submission action, dependencies and version are being populated under the Insights -> Dependency Graph -> Dependencies tab. However, license details aren't. For example

pkg:maven/com.google.code.gson/gson@2.9.0

from the demo repo is labelled

"licenseConcluded": "Apache-2.0"

but for the same package there is no

licenseConcluded

entry on ours. Following setting up the build env the action is being run in the same way as the demo repo (minus scan publishing). Any ideas on how to resolve the licenses problem? For ref we're running a self-hosted GHE instance. Cheers!

FYI

hi! How do you feel about github generated dependency graph (SBOM) having gradle version inside? I'm missing it in my reports 😉

Do you people use GH setup action if you already have remote cache setup? I see that builds are faster but also upload/download times added in total time. The only benefit I see that is configuration cache hit. But I need probably better timing comparison and maybe I miss something extra.