guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

[feature] Use deps.dev version-project mapping provenance

Open mdeicas opened this issue 7 months ago • 0 comments

Deps.dev now specifies how the relationship between package versions and projects (e.g. github source) have been derived. This is useful information because it indicates how trustworthy that link is -- it may have been derived from unverified metadata or from SLSA provenance. See see relatedProjects[].relationProvenance in https://docs.deps.dev/api/v3alpha/#getversion.

Along the same lines, deps.dev now explicitly links the package version to a project identifier (see relatedProjects[].projectKey in https://docs.deps.dev/api/v3alpha/#getversion) that can be used in other API calls. Previously, we constructed the project identifier from the VCS url, which is not as reliable (e.g. #1413).

There are two changes to make:

  1. Update the HasSourceAt node with this additional data.
  2. Call GetProject with the project identifier given by the call to GetVersion.

Also see #1768

mdeicas avatar Jul 20 '24 14:07 mdeicas