Written by Jamie Tanna
on 
CC-BY-NC-SA-4.0 Apache-2.0
2 mins

You can now use Open Policy Agent with dependency-management-data

Featured image for sharing metadata for article

A couple of months ago I wrote about how I find the Custom Advisories functionality in dependency-management-data to be really great. It makes it possible to flag up usage of libraries that for instance are internally deprecated or not supported, and allows folks running dependency-management-data in their organisations to specify their own internal rules, as well as taking advantage of Open Source'd advisories too.

Last week I attended OWASP Dependency Track's first community call, and found that their ability to manage policy compliance seemed to go one step above this.

As I was considering how the custom advisories functionality worked, I considered how I would add the same functionality to dependency-management-data. Instead of introducing more logic into the database layer, I considered if there were any existing tools I could use for this, and remembered Open Policy Agent (OPA).

In today's v0.54.0 release of dependency-management-data, it's now possible to write OPA policies that determine whether a given package usage violates your organisation policy, and flag it in a similar way than Advisories are done, but with much more control around the dependency that's being flagged which helps reduce false positives.

The great thing about being based on OPA is that you can leverage all the excellent support it has for all sorts of powerful operations. This means that if you wanted to perform a GraphQL API lookup to understand more about the project/dependency's usage in your organisation, you can!

In the future, I'll be adding more information such as licensing or other advisory information, as well as making it possible to have other repository metadata allow you to decide whether i.e. a violation is only important when it's a public-facing repository.

This will also come with policy linting to make it easier to write better policies, quicker.

Check out the Turning complex policies into custom Advisories using Open Policy Agent cookbook, and let me know if there's anything else you'd find useful to do with OPA + DMD!

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#dependency-management-data #open-policy-agent.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.