dmd db generate advisories
dmd db generate advisories
Seed the database with known package advisories
Usage
advisories
Examples
# generate advisories with all Advisory sources (implies `--with-source-all`)
dmd db generate advisories --db dmd.db
# to be explicit to enable all Advisory sources
dmd db generate advisories --db dmd.db --with-source-all
# to only include Advisory data via https://deps.dev and Custom Advisories (in the `custom_advisories` table
dmd db generate advisories --db dmd.db --only-source-custom-advisories-table
# and multiple `--only-source-` flags can be used at the same time
dmd db generate advisories --db dmd.db --only-source-custom-advisories-table --only-source-dmd --only-source-dependency-health-table
Synopsis
Seed the database with known advisories about packages' security or maintenance posture.
This uses information available in the Open Source ecosystem about known unmaintained packages or packages that are marked as deprecated and provides a free-form field to specify some reasoning as to why the advisory is present, and any remediation steps if necessary.
This determines whether the packages you are using are running/approaching End Of Life (EOL) versions, through integration with:
- EndOfLife.date (https://endoflife.date)
This includes the generation of licensing information (to determine i.e. "how many packages use AGPL-3.0 licensed code") as well as Common Vulnerabilities and Exposures (CVE) information, and integrates with:
- deps.dev (https://deps.dev)
Note that this may lead to the leakage of package names to external systems, which may be seen as a privacy or security issue, which can be avoided by following the documentation in the Avoiding the leakage of sensitive package names cookbook (https://dmd.tanna.dev/cookbooks/avoiding-sensitive-package-names/)
Known issues:
- Renovate data missing https://gitlab.com/tanna.dev/dependency-management-data/-/issues/77
Options
| Flag (type) | Usage | Notes |
|---|---|---|
-h, --help
|
help for advisories |
|
--no-progress
|
prevent displaying progress of long-running tasks |
|
--only-source-aws-infrastructure (--only-source-...)
|
Whether to generate Advisory data for AWS Infrastructure (via the https://gitlab.com/tanna.dev/endoflife-checker/ project). Can be combined with other --only-source-... options |
|
--only-source-contrib (--only-source-...)
|
Whether to generate Advisory data from the -contrib project (https://gitlab.com/tanna.dev/dependency-management-data-contrib). Can be combined with other --only-source-... options |
|
--only-source-custom-advisories-table (custom_advisories)
|
Whether to generate Advisory data from the custom_advisories table. Can be combined with other `--only-source-...` options |
|
--only-source-dependency-health-table (dependency_health)
|
Whether to generate Advisory data from the dependency_health table. Can be combined with other `--only-source-...` options |
|
--only-source-depsdev (--only-source-...)
|
Whether to generate Advisory data from the deps.dev datasource. Can be combined with other --only-source-... options |
|
--only-source-dmd (--only-source-...)
|
Whether to generate advisories based on Dependency Management Data's inbuilt advisory sources. Can be combined with other --only-source-... options |
|
--only-source-endoflifedate (--only-source-...)
|
Whether to generate advisories based on https://endoflife.date. Can be combined with other --only-source-... options |
|
--with-source-all (--with-source-...)
|
Whether to include all sources for Advisory data that Dependency Management Data has support for. Is implied if no other --with-source-... flags are set |
|
Options inherited from parent commands
| Flag (type) | Usage | Notes |
|---|---|---|
--db (string)
|
the path to the input/output database |
|
--debug
|
whether to enable debug logging |
|
Related
dmd db generate- Generate new data into the database