kaniini
commented
10 months ago I have already been thinking about this for some time.
I think the SCA engine should be moved into its own package, and the actual dependency generators refactored to take a filesystem as input, alongside a config.Dependencies as output.
I can queue up some PRs to do this.
Elizafox
https://github.com/chainguard-dev/melange/pull/788 adds SCA checks to generate runtime deps based on filesystem properties. We have a handful of these. What we don't have are tests that any of this works the way we expect.
Let's add test infra to make testing this SCA behavior easier, and use it to bolster our tests.