Question: Git ecosystem support #2403
Description
Hi!
Are there any plans to support Git as an ecosystem for scanning?
Problem
Currently, it is impossible to obtain vulnerabilities from an SBOM containing the Git URL of the collected packages. I am aware of the discussion and other topics about the synthetic nature of GIT, but that seems irrelevant because we can now request osv.dev like this:
curl -d \
'{"package": {"name": "https://github.com/curl/curl.git", "ecosystem": "GIT"}, "version": "8.5.0"}' \
"https://api.osv.dev/v1/query"And some progress in establishing Git as an ecosystem was made in this PR.
Original problem
Initially, I intended to scan Homebrew packages for vulnerabilities. However, Homebrew is not considered an ecosystem due to its lack of advisories and organization. However, starting with version 4.3.0, Homebrew packages are supplied with SPDX BOM. This BOM often contains the Git repository URL from which the package came. Therefore, supporting the Git ecosystem will allow us to scan some Homebrew packages for vulnerabilities, which is extremely important for scanning the MacOS system, where Homebrew is the main package manager (imho).
Proposed solution
Based on this and this, I can suggest the following structure for the Git SBOM component which will be accepted for scanning:
"components": [
{
"bom-ref": "...",
"type": "..."
"name": "github.com/curl/curl",
"version": "3.4.0",
"purl": "pkg:generic/github.com/curl/[email protected]"
}
]If it is useful and makes sense to be implemented, I would like to implement it by myself.