dependency-management-data now supports Software Bill of Materials (SBOMs) and has better Dependabot support
This post's featured URL for sharing metadata is https://www.jvt.me/img/profile.jpg.
As part of my work on dependency-management-data, I've mostly been focussing on utilising Renovate as the underlying datasource due to its excellent support for different package managers, language runtimes and ecosystems.
The original datasource for dependency-management-data - before it was Open Source'd as dependency-management-data - was Dependabot, but as mentioned in Prefer using the GitHub Software Bill of Materials (SBOMs) API over the Dependency Graph GraphQL API, the GraphQL API we were using for the data didn't provide the most usable data.
However, with this release, we're now using the Software Bill of Materials endpoint, which provides much more actionable information, and means the Dependabot datasource is now much more useful 👏
With the ability to parse SBOMs from GitHub, I've also taken the opportunity to add support for parsing SBOMs from other data sources, so you can bring an SBOM from your own tooling, for instance the Snyk SBOM export functionality or through tools like syft.
This launches with v0.38.0, and is further improved with support for custom advisories with v0.39.0, and in the coming releases I'll be improving the advisories functionality, although initially it looks like it won't be as powerful as the Renovate datasource, as the SBOMs I've worked with so far don't capture things like the version of Go, Ruby, etc in use.
And a big thanks to Eric Smalling who helped with Snyk's SBOM support!