Using custom Advisories to flag packages in use

As well as the inbuilt functionality to flag Advisories in your software based on external APIs, dependency-management-data provides the ability to introduce your own Advisories.

With the custom Advisories functionality, you can define custom rules for dependencies to match against and flag your own reasons for the advisory, using any of the built-in Advisory types, such as UNMAINTAINED, SECURITY or OTHER.

Depending on what the advisories are, it may be worth sharing them upstream as part of the -contrib project, so the whole community can benefit.

This gives you the ability to flag usage of internal or vendor libraries that maybe shouldn't be in use, as well as also pointing to any Open Source projects that your organisation may have issues with.

For instance, a couple of the advisories that the contrib defines can be seen below:

-- examples taken from and respectively
INSERT INTO custom_advisories (
  'pkg/errors was archived in 2021, and is unmaintained since'
  'Amazon does not recommend the use of the v1 Go image, which is based off of Amazon Linux (v1)'

This produces a report that looks like:

PlatformOrganisationRepoPackageVersionDependency TypesAdvisory TypeDescription / v0.9.1["indirect"]UNMAINTAINEDpkg/errors was archived in 2021, and is unmaintained since

You'll notice that we're using the custom_advisories table, which is a generic table that you can insert data into as you please.

Looking for something slightly more complex? You may be interested in turning complex policies into custom Advisories using Open Policy Agent.