Open Thor77 opened 4 months ago
Churro
commented
4 months ago Currently not supported by renovate. Adding git as an ecosystem here isn't enough either, since the query interface is tailored to PURL-based ecosystems: https://github.com/renovatebot/osv-offline/blob/bd2ceb4828c22dd91f1e1c5aa0b8341ec074c0b0/packages/osv-offline-db/src/lib/db.ts#L35-L38
Thor77
commented
4 months ago So this would need additional changes in 1. OSV to support packageurl for git releases 2. renovate to query osv for the git- datasources?
Churro
commented
4 months ago Not exactly. PURL identifiers are designed to work only with package based ecosystems (maven, npm, go, ...), so this OSV interface would need a new git-tailored query interface. That's the easy part. More effort are the changes in renovate because unlike checking just if version A < version B, for git it would need to traverse the whole commit graph of a repo to check if a commit is in a vulnerable range of commits.
Is there anything blocking support for the GIT ecosystem (and therefore also git- related datasources in renovate)? It should be as simple as adding it to the list of ecosystems in https://github.com/renovatebot/osv-offline/blob/bd2ceb4828c22dd91f1e1c5aa0b8341ec074c0b0/packages/osv-offline-db/src/lib/ecosystem.ts#L2 or am I missing something?