Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Use deps.dev version-project mapping provenance #2038

Open
mdeicas opened this issue Jul 20, 2024 · 0 comments
Open

[feature] Use deps.dev version-project mapping provenance #2038

mdeicas opened this issue Jul 20, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@mdeicas
Copy link
Collaborator

mdeicas commented Jul 20, 2024

Deps.dev now specifies how the relationship between package versions and projects (e.g. github source) have been derived. This is useful information because it indicates how trustworthy that link is -- it may have been derived from unverified metadata or from SLSA provenance. See see relatedProjects[].relationProvenance in https://docs.deps.dev/api/v3alpha/#getversion.

Along the same lines, deps.dev now explicitly links the package version to a project identifier (see relatedProjects[].projectKey in https://docs.deps.dev/api/v3alpha/#getversion) that can be used in other API calls. Previously, we constructed the project identifier from the VCS url, which is not as reliable (e.g. #1413).

There are two changes to make:

  1. Update the HasSourceAt node with this additional data.
  2. Call GetProject with the project identifier given by the call to GetVersion.

Also see #1768
@mdeicas mdeicas added the enhancement New feature or request label Jul 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mdeicas