is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

ゲーム開発の安全性を高める第一歩〜Snyk導入のすすめ〜 #Snyk
https://dev.classmethod.jp/articles/snyk-snyk-game-2512-kdpn/

#dev_classmethod

[アップデート] SnykでCLIのスキャン結果をWeb UIにアップロードできるようになりました #snyk
https://dev.classmethod.jp/articles/snyk-cli-web-ui-snyk-kdpn/

#dev_classmethod

SnykでAWSをスキャンしていく #Snyk
https://dev.classmethod.jp/articles/snyk-aws-2509-kdpn/

#dev_classmethod

Probely CLIをインストールして脆弱性結果を確認してみた
https://dev.classmethod.jp/articles/probely-cli-kdpn-2508/

#dev_classmethod #Snyk #セキュリティ #CLI

Probely入門！DASTツール「Probely」を試してみた。
https://dev.classmethod.jp/articles/probely-dast-kdpn-2508/

#dev_classmethod #Snyk #セキュリティ

#cve #security

I need advice in how to act in the following case:

A medium-big software vendor using #golang claims that the reported CVEs by #trivy and MS defender on their statically linked binaries are false-positives.
Only #snyk would give a "correct" result.

They are not willing to share their go.mod file to verify they are not using package version XY in them.

I am somewhat skeptical about this argument. What are my best chances to find a verifiable proof to this (other than attempting to exploit the vuln?)

Are trivy and MS Defender known for false-positives in such cases?

I am in a weird spot where multiple scanners flag (multiple) binaries, the company says "all good, nothing there, error on your (scanner) side" and I need to report to the security team with 2:1 scanners in favor of the vuln being present.