dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Add GitHub as repository

Open JN-CSIRT opened this issue 2 years ago • 4 comments

We work with OSS sources placed in Github. So we need to check the Package for actuality and for security issues. Is it planned to integrate GitHub as Repository to DT?

JN-CSIRT avatar Jul 25 '22 22:07 JN-CSIRT

DT should support GitHub Packages. I have not personally tried it, but assuming GitHub implements the proper semantics and APIs for Maven, Pypi, npm, etc, then you should be able to use GitHub for this purpose.

stevespringett avatar Aug 20 '22 19:08 stevespringett

DT should support GitHub Packages. I have not personally tried it, but assuming GitHub implements the proper semantics and APIs for Maven, Pypi, npm, etc, then you should be able to use GitHub for this purpose.

Right, it is supported, but for repositories only and it works fine - maven, golang, etc What's about direct requests to Github? Lot of SW components are placed there without to be integrated into repositories. E.g. PURL: pkg:github/boostorg/[email protected] Can you add to DT a direct support for Github.com as repository?

JN-CSIRT avatar Aug 22 '22 23:08 JN-CSIRT

Ah, so it sounds like you would like support for GitHub Releases. Yes, I think that's something we can do.

Perhaps even make it configurable to enable/disable support for pre-releases when identifying the latest version.

Support for Git branches would be extremely difficult. I wouldn't know how to even approach that.

stevespringett avatar Aug 23 '22 05:08 stevespringett

Perhaps even make it configurable to enable/disable support for pre-releases when identifying the latest version.

this is what I look for. At second is the link to the related GHSA if any.

JN-CSIRT avatar Aug 23 '22 13:08 JN-CSIRT

This would be extremely helpful in the C/C++ ecosystem, where there isn't (yet?) a package management system to rule them all!

#1840 looks like a duplicate.

lnksz avatar Feb 02 '23 14:02 lnksz

It could be added as a custom repo with the pass being the token maybe?

And then the REST API could be used to fetch the latest version?

https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#get-the-latest-release or the list of releases https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#list-releases

lnksz avatar Feb 02 '23 14:02 lnksz

Hi @msymons, even though it isn't labeled as such, do you think this would be a good first contribution task?

lnksz avatar Feb 06 '23 09:02 lnksz

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Jan 08 '24 10:01 github-actions[bot]