Quantifying your reliance on Open Source software
Using dependency-management-data
Jamie Tanna (https://www.jvt.me)
Senior Software Engineer @ Elastic
Have you ever wondered:
- How much end-of-life software is my organisation using?
- What (internal) packages are we using that we shouldn't?
- How far behind on updates are we?
"What projects should I contribute to?"
Dependency Management Data (DMD) - dmd.tanna.dev
What's in the project?
-
The command-line tool
dmd - The outputted SQLite database
- (Your SQLite browser of choice)
-
The web application
dmd-web
dmd
- Ingests different sources of dependency data ("datasources")
- Build the SQLite database
- Enrich it with more data (for instance for "advisories")
- Provide common queries ("reports")
Datasources
- renovate-graph - Renovate
- dependabot-graph - GitHub Advanced Security + Dependabot
- Software Bill of Materials (SPDX, CycloneDX)
- endoflife-checker - i.e. AWS Lambda, RDS
Advisories
- What End-of-Life software am I using?
- What CVEs am I affected by?
- Is there an internally documented reason why we shouldn't use a specific package?
"What package advisories do I have?"
| organisation | repo | package_name | current_version | dep_types | advisory_type | description |
|---|---|---|---|---|---|---|
| alphagov | di-authentication-frontend | node | 18.12.1 | ["engines"] | DEPRECATED | nodejs 18 will be unsupported in 28 days |
| golangci | golangci-lint | github.com/golangci/lint-1 | v0.0.0-... | ["require"] | DEPRECATED | Use golang.org/x/lint instead, as the golangci fork ... is behind active development and bugfixes in golang.org/x/lint |
| tanna.dev | oidc-thumbprint | go | 1.18 | ["golang"] | UNSUPPORTED | go 1.18 has been End-of-Life for 231 days |
via https://dependency-management-data-example.fly.dev/report/advisories
"How many packages does kubernetes use?"
select
package_manager,
count(*) as c
from
renovate
where
repo = 'kubernetes'
group by
package_manager
order by
c desc
| package_manager | c |
|---|---|
| gomod | 2182 |
| dockerfile | 90 |
| cloudbuild | 3 |
"How dependent am I on Hashicorp libraries?"
select
organisation, repo, package_name,
current_version, dep_types
from
renovate
where
package_name like 'github.com/hashicorp/%'
| organisation | repo | package_name | current_version | dep_types |
|---|---|---|---|---|
| clever | microplane | github.com/hashicorp/go-cleanhttp | v0.5.2 | ["indirect"] |
| cloud-custodian | cloud-custodian | github.com/hashicorp/go-multierror | v1.0.0 | ["require"] |
| renovatebot | renovate | github.com/hashicorp/go-cleanhttp | v0.0.0-20171218145408-d5fe4b57a186 | ["require"] |
| tailscale | tailscale | github.com/hashicorp/errwrap | v1.1.0 | ["indirect"] |
| gitlab-org | gitlab | github.com/hashicorp/yamux | v0.1.1 | ["indirect"] |
"Who owns the production service running Node 5?" 🤔
select
distinct
renovate.platform, renovate.organisation, renovate.repo, owner
from
renovate
left join owners
on renovate.platform = owners.platform
and renovate.organisation = owners.organisation
and renovate.repo = owners.repo
-- and ...
"How behind on updates am I?"
select
package_manager, update_type, count(*)
from
renovate_updates
group by
package_manager, update_type
order by
count(*) desc
| package_manager | update_type | count(*) |
|---|---|---|
| gomod | minor | 1368 |
| npm | major | 551 |
| npm | minor | 507 |
dependency-management-data-example - OSS from GitHub, GitLab
Want to try it out?