Avoiding the leakage of sensitive package names

When using subcommands from dmb db generate, we perform lookups across various external systems to discover further insights for your dependency data.

However, depending on how your organisation treats this information, this potential leakage could be problematic, and you should instead be treating these packages as Sensitive Packages.

Therefore, to avoid this, from dependency-management-data v0.47.0, it's now possible to reduce the risk of this using the sensitive_packages table.

This allows you to add the following data to your database:

INSERT INTO sensitive_packages VALUES('@my-org/*',NULL,'MATCHES');
INSERT INTO sensitive_packages VALUES('github.com/my-org/*',NULL,'MATCHES');
INSERT INTO sensitive_packages VALUES('github.com/my-org/this-is-open-source',NULL,'DOES_NOT_MATCH');
-- wildcards can also be anywhere in the string i.e.
INSERT INTO sensitive_packages VALUES('*tan*na*',NULL,'DOES_NOT_MATCH');

This will then result in:

Note that if you are defining the package_manager, it needs to be an appropriate name for all Datasources you are using. For instance:

INSERT INTO sensitive_packages VALUES('github.com/my-org/*','gomod','MATCHES');
INSERT INTO sensitive_packages VALUES('github.com/my-org/*','golang','MATCHES');

There is currently no CLI interface to this functionality, so you will need to hand-craft the SQL to specify these.