Cookbooks

Below you can find various guides for getting dependency-management-data set up for your projects.

Getting Started

Cookbooks related to getting started with Dependency Management Data

• Getting Started: How to get started with dependency-management-data for package data.
• Getting Started with SBOM data: How to get started with dependency-management-data, when consuming SBOMs.
• Getting Started with OSS Review Toolkit's data: How to get started with dependency-management-data, when using OSS Review Toolkit (ORT).
• Data Collection Patterns: The different patterns that have been proved to work well with collecting data for use with dependency-management-data.
• Getting Started (with the example data): How to get started with dependency-management-data, using the pre-collected example data.
• Setting up the Git repo to store dependency-management-data output: An example of the structure and CI configuration you may want to use for storing dependency-management-data data in.

How do I ...?

How to perform common usage patterns.

• Understanding the data model: An introduction to how dependency-management-data's database is structured, some insight into the data model and common queries you may want to use.
• Using custom Advisories to flag packages in use: How to use custom advisories with dependency-management-data to track packages that your organisation may not want to use.
• Avoiding the leakage of sensitive package names: How to use the sensitive_packages table to reduce the risk of leaking private package names to external systems.
• Turning complex policies into custom Advisories using Open Policy Agent: How to leverage Open Policy Agent integration in dependency-management-data to write much more complex rules for flagging advisories in your dependencies.
• Collecting Telemetry via OpenTelemetry: How to export telemetry data from dependency-management-data to a OpenTelemetry-compatible API.
• Consuming output from Renovate's debug logs: How to import data from the output of Renovate's debug logs, as an alternative to running renovate-graph.
• Consuming output from Renovate's reports: How to import data from Renovate's report functionality, as an alternative to running renovate-graph.
• Importing OpenSSF Security Scorecard data into dependency-management-data: How to use pre-computed OpenSSF Security Scorecard data, instead of requiring dependency-management-data to produce it.
• Setting up the Git repo to store dependency-management-data output: An example of the structure and CI configuration you may want to use for storing dependency-management-data data in.
• Using repository ownership information with dependency-management-data

Using Dependency Management Data with another tool's data

How to use Dependency Management Data with data produced from a third-party tool, such as an SBOM generation tool, or a Software Composition Analysis vendor.

• Getting Started with SBOM data: How to get started with dependency-management-data, when consuming SBOMs.
• Getting Started with OSS Review Toolkit's data: How to get started with dependency-management-data, when using OSS Review Toolkit (ORT).