minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

deps extractor: Support limiting ecosystems

Open puerco opened this issue 1 year ago • 1 comments

Minder's dependency extractor scans an entire ecosystem and reports back dependencies found anywhere in the codebase, and even from manifests such as SBOMs.

This can make it tough when a repository contains more than one source of dependencies such as more projects, SBOMs, test fixtures, etc. One way of scoping the data available to rules is to create a setting in the dependency extractor to pass a list of desired ecosystems, scanning can be fine-tuned to return only relevant results and the process can run more efficiently.

The list of ecosystems should be a list of strings and we should validate each to be a valid package URL type.

Related to #5128

puerco avatar Dec 04 '24 04:12 puerco

We should be able to use Rego to filter the dependencies after extraction (at some efficiency cost)

evankanderson avatar Feb 01 '25 00:02 evankanderson