dependency-management-data now supports Software Bill of Materials (SBOMs) and has better Dependabot support

Featured image for sharing metadata for article

As part of my work on dependency-management-data, I've mostly been focussing on utilising Renovate as the underlying datasource due to its excellent support for different package managers, language runtimes and ecosystems.

The original datasource for dependency-management-data - before it was Open Source'd as dependency-management-data - was Dependabot, but as mentioned in Prefer using the GitHub Software Bill of Materials (SBOMs) API over the Dependency Graph GraphQL API, the GraphQL API we were using for the data didn't provide the most usable data.

However, with this release, we're now using the Software Bill of Materials endpoint, which provides much more actionable information, and means the Dependabot datasource is now much more useful 👏

With the ability to parse SBOMs from GitHub, I've also taken the opportunity to add support for parsing SBOMs from other data sources, so you can bring an SBOM from your own tooling, for instance the Snyk SBOM export functionality or through tools like syft.

This launches with v0.38.0, and is further improved with support for custom advisories with v0.39.0, and in the coming releases I'll be improving the advisories functionality, although initially it looks like it won't be as powerful as the Renovate datasource, as the SBOMs I've worked with so far don't capture things like the version of Go, Ruby, etc in use.

And a big thanks to Eric Smalling who helped with Snyk's SBOM support!

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#dependency-management-data #sbom #github.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.