You can now use Open Policy Agent with dependency-management-data
A couple of months ago I wrote about how I find the Custom Advisories functionality in dependency-management-data to be really great. It makes it possible to flag up usage of libraries that for instance are internally deprecated or not supported, and allows folks running dependency-management-data in their organisations to specify their own internal rules, as well as taking advantage of Open Source'd advisories too.
As I was considering how the custom advisories functionality worked, I considered how I would add the same functionality to dependency-management-data. Instead of introducing more logic into the database layer, I considered if there were any existing tools I could use for this, and remembered Open Policy Agent (OPA).
In today's v0.54.0 release of dependency-management-data, it's now possible to write OPA policies that determine whether a given package usage violates your organisation policy, and flag it in a similar way than Advisories are done, but with much more control around the dependency that's being flagged which helps reduce false positives.
The great thing about being based on OPA is that you can leverage all the excellent support it has for all sorts of powerful operations. This means that if you wanted to perform a GraphQL API lookup to understand more about the project/dependency's usage in your organisation, you can!
In the future, I'll be adding more information such as licensing or other advisory information, as well as making it possible to have other repository metadata allow you to decide whether i.e. a violation is only important when it's a public-facing repository.
This will also come with policy linting to make it easier to write better policies, quicker.
Check out the Turning complex policies into custom Advisories using Open Policy Agent cookbook, and let me know if there's anything else you'd find useful to do with OPA + DMD!