We are currently encountering an issue with retrieving published dates for the pywin32 package through the deps.dev API. Upon investigation, we noticed that the versions page (https://deps.dev/pypi/pywin32/306.0.0/versions ) displays an error message: Error: We encountered an error when processing the source data.

In an effort to understand the root cause of this issue, we observed a potential discrepancy in versioning between deps.dev and PyPI. Specifically, we noticed that pywin32 on PyPI (https://pypi.org/project/pywin32/#history ) does not use decimal places in its versions. We would greatly appreciate your insights and assistance in resolving this matter.

https://deps.dev/go/k8s.io%2Fclient-go is incorrectly identifying a four-year-old version (v12.0.0+incompatible) as the default version.

However, that version is retracted and v0.27.1 is the latest / default version (and has much healthier status - https://deps.dev/go/k8s.io%2Fclient-go/v0.27.1)

Please honor the retract directive properly to avoid misleading users of the site with incorrect default version info - https://go.dev/ref/mod#go-mod-file-retract

As per the documentation https://docs.deps.dev/api/v3alpha/#getrequirements , this API should return

maven.dependencies[].version: string
The version requirement of the dependency.

When calling https://api.deps.dev/v3alpha/systems/maven/packages/org.apache.httpcomponents.client5:httpclient5/versions/5.3.1:requirements , version is always empty:

{
    "maven": {
    "parent": {
    "system": "MAVEN",
    "name": "org.apache.httpcomponents.client5:httpclient5-parent",
    "version": "5.3.1"
    },
    "dependencies": [
        {
            "name": "org.apache.httpcomponents.core5:httpcore5",
            "version": "",
            "classifier": "",
            "type": "",
            "scope": "",
            "optional": "false",
            "exclusions": []
        },
        {
            "name": "org.apache.httpcomponents.core5:httpcore5-h2",
            "version": "",
            "classifier": "",
            "type": "",
            "scope": "",
            "optional": "false",
            "exclusions": []
        }, ...

It's probably more of a question than an issue, but I'm trying to query the API using Fetch API (i.e. from a javascript code) and I encounter a CORS problem.

For example, I'm trying to run this code:
const response = await fetch('https://api.deps.dev/v3alpha/systems/npm/packages/%40colors%2Fcolors') but I got blocked by the browser.

Is there any header/parameter i'm missing here, or there's any other way in which I can query the API from a client application?

Thanks!

Similar to #7, I'm seeing 404s when the package name doesn't match some canonical form:

% curl https://api.deps.dev/v3alpha/systems/maven/packages/org.codenarc%3ACodeNarc/versions/3.3.0:dependencies -i
HTTP/2 200 
content-type: application/json
x-envoy-upstream-service-time: 17
strict-transport-security: max-age=2592000; includeSubDomains
grpc-status: 0
grpc-message: 
content-length: 3794
vary: Accept-Encoding
date: Sun, 24 Sep 2023 16:45:06 GMT
server: envoy
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"nodes":[{"versionKey":{"system":"MAVEN","name":"org.codenarc:CodeNarc","version":"3.3.0"},"bundled":false,"relation":"SELF","errors":[]},{"versionKey":{"system":"MAVEN","name":"com.github.javaparser:javaparser-core","version":"3.23.0"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"com.thoughtworks.qdox:qdox","version":"1.12.1"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant-antlr","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":["could not find a version that satisfies requirement 1.8.0 for package com.sun:tools"]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant-junit","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":["could not find a version that satisfies requirement 1.8.0 for package com.sun:tools"]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant-launcher","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":["could not find a version that satisfies requirement 1.8.0 for package com.sun:tools"]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-ant","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-docgenerator","version":"3.0.9"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-groovydoc","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-json","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-templates","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-xml","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.gmetrics:GMetrics","version":"2.1.0"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.slf4j:slf4j-api","version":"1.7.35"},"bundled":false,"relation":"DIRECT","errors":[]}],"edges":[{"fromNode":0,"toNode":7,"requirement":"3.0.9"},{"fromNode":0,"toNode":8,"requirement":"3.0.9"},{"fromNode":0,"toNode":10,"requirement":"3.0.9"},{"fromNode":0,"toNode":11,"requirement":"3.0.9"},{"fromNode":0,"toNode":12,"requirement":"3.0.9"},{"fromNode":0,"toNode":13,"requirement":"3.0.9"},{"fromNode":0,"toNode":14,"requirement":"2.1.0"},{"fromNode":0,"toNode":15,"requirement":"1.7.35"},{"fromNode":5,"toNode":3,"requirement":"1.10.11"},{"fromNode":8,"toNode":3,"requirement":"1.10.11"},{"fromNode":8,"toNode":4,"requirement":"1.10.11"},{"fromNode":8,"toNode":5,"requirement":"1.10.11"},{"fromNode":8,"toNode":6,"requirement":"1.10.11"},{"fromNode":8,"toNode":7,"requirement":"3.0.9"},{"fromNode":8,"toNode":10,"requirement":"3.0.9"},{"fromNode":9,"toNode":2,"requirement":"1.12.1"},{"fromNode":9,"toNode":7,"requirement":"3.0.9"},{"fromNode":9,"toNode":12,"requirement":"3.0.9"},{"fromNode":10,"toNode":1,"requirement":"3.23.0"},{"fromNode":10,"toNode":7,"requirement":"3.0.9"},{"fromNode":10,"toNode":9,"requirement":"3.0.9"},{"fromNode":10,"toNode":12,"requirement":"3.0.9"},{"fromNode":11,"toNode":7,"requirement":"3.0.9"},{"fromNode":12,"toNode":7,"requirement":"3.0.9"},{"fromNode":12,"toNode":13,"requirement":"3.0.9"},{"fromNode":13,"toNode":7,"requirement":"3.0.9"}],"error":""}
% curl https://api.deps.dev/v3alpha/systems/maven/packages/org.codenarc%3acodenarc/versions/3.3.0:dependencies -i
HTTP/2 404 
content-type: application/grpc
grpc-status: 5
grpc-message: dependencies not found
x-envoy-upstream-service-time: 9
strict-transport-security: max-age=2592000; includeSubDomains
content-length: 0
date: Sun, 24 Sep 2023 16:45:15 GMT
server: envoy
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

This package name is derived from the purl in the below SBOM from the GitHub API, taken from https://api.github.com/repos/jenkinsci/job-dsl-plugin/dependency-graph/sbom, located at https://gist.github.com/jamietanna/3a2a933e06aea06a7e833a0f1b43876d#file-job-dsl-sbom-json-L8313-L8327

I don't believe that Maven packages are case-sensitive.

Similar to how osv.dev allows for batched queries https://google.github.io/osv.dev/post-v1-querybatch/

Would be very nice to have a batched version of request endpoint for most of the deps.dev endpoints.

The documentation mentions the terms under which the API can be used, but links to the generic Google API terms https://developers.google.com/terms. I don't see a specific reference to the license under which the data is made available? Could this be made explicit? A suitable creative commons license would be ideal (with attribution if preferred), but any explicit license would be better than none.

Is there any way of fetching the release / publish date for versions? Seems like it's listed on the website as the publish date, but I don't see a way of getting it through the API or the BigQuery dataset.

Thanks!

Is it possible to also expose if dependencies are direct or indirect, we are trying to build up the graph of dependencies and encode the structure within GUAC

The idea would be to add support for https://hex.pm/

Let's be honest, there are just little to no APIs that give support for Erlang and Elixir packages.
A use case could be periodic dependency scanning looking for vulnerabilities.

For example this nuget package: https://deps.dev/nuget/azure.core

Has the Homepage: https://github.com/Azure/azure-sdk-for-net/blob/Azure.Core_1.34.0/sdk/core/Azure.Core/README.md but no Repo

The Repo should be https://github.com/Azure/azure-sdk-for-net/

Another example is this package: https://deps.dev/nuget/microsoft.aspnetcore.authorization

Which contains in the description "This package was built from the source code at https://github.com/dotnet/aspnetcore/tree" but doesn't contain Repo metadata

Is there any plans to support pub.dev packages for Flutter/Dart apps?

Examples:

uniseg latest version is v0.4.4 (since Feb 2023):
But in deps.dev this version doesn't exist

Same with [email protected]:
https://pkg.go.dev/github.com/mattn/go-runewidth?tab=versions
https://deps.dev/go/github.com%2Fmattn%2Fgo-runewidth

And more

this page:
https://deps.dev/go/154.pages.dev%2Fwidevine

shows this:

Warning
We found errors while resolving dependencies that may result in an incomplete or inaccurate dependency graph.
could not find module for package import: 154.pages.dev/protobuf

which is not valid:

> curl https://154.pages.dev/protobuf
<!doctype html>
<html lang="en">
<head>
<meta name="go-import" content="154.pages.dev/protobuf git https://github.com/3052/protobuf">
</head>
</html>

https://pkg.go.dev/154.pages.dev/protobuf
https://godocs.io/154.pages.dev/protobuf

There's a standing problem with folks using scanners to try to determine SBOMs. They produces lots of false positives. False positives lead to lots of wasted effort trying to rule out CVEs from those false positives. OmniBOR would allow capturing the precise artifact dependency graph from source files up. What would be needed to convert this into an SBOM would be the ability to map the hash of the 'leaves' (source files) to (component name, version, supplier) tuples. Naturally, deps.dev's query API looks like a great solution to that. OmniBOR uses gitoids as identifiers, because the most interesting artifacts in the artifact dependency graph, the leaf source code files, are typically stored in git, and indexed by gitoid.

Currently https://docs.deps.dev/api/v3alpha/#query supports many different hash types. This is good :)

It would be very useful if it could support Git Object IDs (gitoids) as a hash type.

Today git supports two kinds of gitoids - gitoid:sha1 and gitoid:sha256. gitoid:sha256 was recently introduced, with the option per repo to use it. As of yet it has seen little use. Therefore its important to support both gitoid:sha1 and gitoid:sha256

gitoid for blobs are easy to compute. You simply prepend the 'git object header' to the file contents and compute the hash (either sha1 or sha256) over the result. A 'git object header' for a blob is 'blob␣${size}\0'. Where '␣' represents the UTF-8 character 0x20 and '\0' represents the null character 0. ${size} is the number bytes of ${content} represented as a string base 10.

Simple golang gitoid computation code can be found here for reference. Further checks can be done using the git hash-object command.

支持通过读取依赖文件，解析依赖书

Hello,

I am trying to do some analysis on package usage especially with PyPI packages. I know there are APIs that are present for viewing the dependencies of packages - but is there a way to parse the dependents of a package given the version via the api?

Would be nice if the Google maintained language Dart and package ecosystem Pub would be supported.

The FAQ page says:

We identify licenses as SPDX expressions. When there is no associated SPDX identifier, we indicate the license is non-standard. When we are unable to obtain license information, we indicate the license is unknown.

Is there a way, via the APIs, to see which identified license values were the reason for the tool to indicate non-standard ?

Or could the API be enhanced, instead of:

"licenses": [
    "non-standard"
  ],

it would return

  "licenses": {
      "spdx" : [],
      "non-standard" : ["Apache License 2"]
  }  

In case of an identified SPDX id it would return

  "licenses": {
      "spdx" : ["Apache-2.0"],
      "non-standard" : []
  }

Hi Deps.dev team,

This work is very interesting and useful. To boost its benefits, I've recently developed and implemented an LLM dependency chatbot for Python packages based on the cool DepsDev API.
For a given Python package, the dependency graph will be constructed as a knowledge graph in Neo4j. I implemented several tools to automate the generation of Cypher queries to read/write from and to the knowledge graph.

Here you can find the details of my LinkedIn post.

Curious about seeing a Retrieval-Augmented Generation (RAG) app on top of Knowledge Graphs in the software supply chain domain, I'm excited to share our Python Dependency Chatbot. 
Thanks to [Langroid](https://www.linkedin.com/company/langroid/) framework for facilitating the development of this application by enabling multi-agent and supporting neo4j graph database.

The chatbot in action, a gif recording shows how to use the app: 
https://shorturl.at/nN578

More details: 
https://shorturl.at/lMO13

Try it in this Colab Notebook:
https://shorturl.at/oAO07 

Or run it as a script:
https://shorturl.at/CDKR7

What's next:
- Adding more agents to handle vulnerabilities, version conflicts, and licensing.
- Considering other languages.

Mohannad
http://mohannadcse.netlify.app

Currently, deps.dev only shows dependencies that are in the same language as the project. However, it's increasingly common for projects to be multi-lingual.

For example, https://deps.dev/pypi/cryptography/41.0.7 lists the python dependencies of cryptography, but cryptography also contains rust code which depends on various crates.

Some package ecosystems expose less information out-of-the-box (e.g. Dart exposes changelogs automatically, while NPM does not).

It would be cool if deps.dev would write an abstract parser for this information that takes the information from various possible places (GitHub releases, CHANGELOG.md files, ...) and exposes it for all ecosystems (briding the gap for ones that don't have that)

I wrote a Python wrapper around the API called pydepsdev:

• https://github.com/eclipseo/pydepsdev
• https://pypi.org/project/pydepsdev/

Licensed as ASL 2.0 like this repo.

I am just a hobbyist so the quality of the code may be dubious, but it could be of use for others.

I intend to use it during Fedora Go packaging, to compute the licenses of all the dependencies of a binary, which we were not able to easily do before.

Is there an issue where the API is not properly querying for GO packages?

For example, I am querying this go package via the API and I am not getting field Links []*pb.Link back from the *pb.Version even though it shows it on deps.dev.

my pb.VersionKey is as follows:

	versionReq := &pb.GetVersionRequest{
		VersionKey: &pb.VersionKey{
			System:  System_GO (1),
			Name:    "github.com/puerkitobio/purell",
			Version: "v1.1.1",
		},
	}

Querying with the same pb.VersionKey for the dependencies works but specifically, I am looking to get the link that contains the "SOURCE_REPO" such that I can use that in GetProjectRequest to find the scorecard information.

Querying pkg:pypi/[email protected] via the same method works without an issue.

Requested in https://twitter.com/PermittedSoc/status/1646389772577824768

I'd started to drop y'all an email when I remembered that this repo was here - it'd be great to get a link to the repo discoverable on the site, if possible!

Currently in order to get any known advisories for a specific package you have to first look up the package to identify all known package versions there request the data for each version to get the advisory keys. It would be nice to be able to get all keys for all versions within the response for the package.

I would like to ask if graph database should be used to store massive dependency information and dependency topology information? What do we use to store this data?

I expect

• an OAS3 spec for the APIs

Instead

• the documentation is in prose https://docs.deps.dev/api/v3alpha/
• can't find one on the repo.

(Originally requested by @agmond in #3.)

Currently, to get a list of the advisories that affect a package version or one of its dependencies, a client:

1. Calls GetDependencies.
2. For each node in the response, calls GetVersion, ideally making many requests concurrently as in the package_lock_licenses example.

If the response from GetDependencies included advisories, only a single call would be needed. The same applies to licenses.

The downside is that the response would be larger (and slower to serve) for all clients, regardless of whether they are interested in advisories (or licenses).

This is a request to enhance the package information pages on https://deps.dev/ when dependency information is not available.

For example:
https://deps.dev/maven/org.apache.activemq%3Aactivemq-broker/5.18.1

The "Dependencies" box shows "Failed to fetch dependencies" which is true. This currently returns a 404:
https://api.deps.dev/v3alpha/systems/maven/packages/org.apache.activemq%3Aactivemq-broker/versions/5.18.1:dependencies

However, what is problematic or unexpected is that both "Security Advisories" and "Licenses" also show "Failed to fetch dependencies" even though that information is available:
https://api.deps.dev/v3alpha/systems/maven/packages/org.apache.activemq%3Aactivemq-broker/versions/5.18.1

{
  "versionKey": {
    "system": "MAVEN",
    "name": "org.apache.activemq:activemq-broker",
    "version": "5.18.1"
  },
  "isDefault": true,
  "licenses": [
    "Apache-2.0"
  ],
  "advisoryKeys": [],
  "links": [
    {
      "label": "SOURCE_REPO",
      "url": "https://github.com/apache/activemq"
    },
    {
      "label": "ISSUE_TRACKER",
      "url": "https://issues.apache.org/jira/browse/AMQ"
    },
    {
      "label": "HOMEPAGE",
      "url": "http://activemq.apache.org"
    }
  ]
}

As a user, I would still expect to see the license and any security advisories.

I'd like to know what so much data is stored in, not myql.

I noticed some odd dependency versionKy names seemingly only on version 11.4.1 of the npm package nyc with > symbols

https://api.deps.dev/v3alpha/systems/npm/packages/nyc/versions/11.4.1:dependencies

versionKey": {
  "system": "NPM",
  "name": "nyc>11.4.1>align-text",
  "version": "0.1.4"
},

later versions of nyc such a 15.1.0 have normal versionKey names
https://api.deps.dev/v3alpha/systems/npm/packages/nyc/versions/15.1.0:dependencies

versionKey": {
  "system": "NPM",
  "name": "color-convert",
  "version": "2.0.1"
},

I noticed the docs for the API mention that GetDependencies versionKey.system can be one of GO, NPM, CARGO, MAVEN, PYPI, NUGET

https://docs.deps.dev/api/v3alpha/#getdependencies

However, the docs mention that this endpoint is not available for nuget

GetDependencies returns a resolved dependency graph for the given package version. Dependencies are currently available for Go, npm, Cargo, Maven and PyPI.

The API gives a 404 for any nuget, so it's just the docs that need to be updated

404 -> https://api.deps.dev/v3alpha/systems/nuget/packages/azure.core/versions/1.25.0:dependencies

Hi!

I have a small, curiosity question on the implementation of the graph UI. Feel free to close this issue if this is not the right place to ask.

I think the draggable interactive graph visualization is very cool. [1]. Is the graph a reusable component / a part of some other UI library? Is it a private graph implemented specifically for deps.dev?

[1] https://deps.dev/cargo/tokio/1.28.1/dependencies/graph

Thanks!
Enoumy

There seems to be no way to return package owners via the API, this would be a wonderful addition!

Hello,

I'm working on the XWiki project, and while checking for security issues on https://osv.dev/, I noticed that some of our maven modules are not listed on https://deps.dev/.

For instance, https://deps.dev/maven/org.xwiki.commons%3Axwiki-commons-collection or https://deps.dev/maven/org.xwiki.rendering%3Axwiki-rendering-macro-content are correctly found.
But, org.xwiki.platform:xwiki-platform-attachment-api cannot be found.

Can you confirm that the later is not found because we upload the release on our own public repository instead of the central repository?

And if so, is there some way to make our artifacts indexed in https://deps.dev/

Sincerely,
Manuel Leduc

Hi google team.

@zaibon just opened an issue in my repo (edoardottt/depsdev#51) pointing out that the fields lineCount and lineCoverCount are strings now, but they should be integers following the docs (https://docs.deps.dev/api/v3alpha/#getproject).

Try this:

curl "https://api.deps.dev/v3alpha/projects/github.com%2Fklauspost%2Fcompress" | grep -i linecount

...
"ossFuzz":{"lineCount":"20711","lineCoverCount":"12156",
...

What are your thoughts on this? Will you change the docs or the APIs?

thanks

Looking forward to seeing Ruby gems support integrated into deps.dev.
Is there any plan for this?

Please include "RUBYGEMS" as packageKey.system choice.

Here is example GHSA url: GHSA-cvw2-xj8r-mjf7

Thanks for the great work.

I am a Ph.D student from China and focus on software data analysis. We are very interested in analysis from global network with collaboration or dependency relationships.

So deps.dev surely provides a very good data source, so I am curious that is there an interface to get a whole list of a certain system like maven? Just like https://pypi.org/simple/ for PyPI, https://skimdb.npmjs.com/registry/_all_docs for npm and https://packagist.org/packages/list.json for Composer.

It will be great help to get the list and we will be carefully design the program to avoid redundant API calls for history data.

"Published" is empty for GO package versions on the website https://deps.dev/go/github.com%2Frs%2Fzerolog/v1.31.0/versions :

Same for the REST API:
NPM: https://api.deps.dev/v3alpha/systems/npm/packages/typescript

GO: https://api.deps.dev/v3alpha/systems/go/packages/github.com%2Frs%2Fzerolog

I checked all systems and GO and NUGET seem to be incomplete? The REST API documentation does not mention why some attributes are missing in these systems.

available: versions + published_at + dependents

CARGO https://deps.dev/cargo/rand/0.8.5/versions
NPM https://deps.dev/npm/react/18.2.0/versions
PYPI https://deps.dev/pypi/beautifulsoup4/4.12.2/versions
MAVEN https://deps.dev/maven/org.springframework%3Aspring-core/6.1.1/versions

available: versions + dependents

GO https://deps.dev/go/github.com%2Frs%2Fzerolog/v1.31.0/versions

available: versions + published_at

NUGET https://deps.dev/nuget/hangfire.core/1.8.6

Is it possible to add the published timestamp?

The underlying source https://index.golang.org/index has timestamp so I am wondering why that aren't available on deps.dev. I need this information to be available in my project to be able to build package timelines.

Sorry, maybe I'm doing something wrong...

I'm trying to pull some data using this endpoint:

curl 'https://api.deps.dev/v3alpha/projects/github.com%2Fedoardottt%2Fcariddi:packageversions'

Same for other projects

curl 'https://api.deps.dev/v3alpha/projects/github.com%2Fopenwrt%2Fopenwrt:packageversions'

However I always get a 404 no matter which package / project I choose...

How should I use this API?

Hello! I would love to have a deps.dev API endpoint for the following scenario.

Scenario: I'm using the package xmlbuilder v4.1.0. It has the indirect dependency lodash v3.10.1 which contains the vulnerability GHSA-29mw-wpgm-hmr9.

Given I know that the vulnerability is fixed in lodash v4.17.21 because of the advisory, I'd like to search the dependents of lodash for all versions of xmlbuilder to see which version of xmlbuilder is using v4.17.21 so that I can upgrade to that version.

The equivalent bigquery would look something like this

SELECT DISTINCT
    Dependent.System AS DependentSystem,
    Dependent.Name AS DependentName,
    Dependent.Version AS DependentVersion,
    MinimumDepth,
    DependentIsHighestReleaseWithResolution
FROM `bigquery-public-data.deps_dev_v1.Dependents`
WHERE Name = 'lodash' 
AND Version = '4.17.21' 
AND Dependent.Name = 'xmlbuilder';

Would this be feasible?

I expect

• an API to search via purl https://github.com/package-url/purl-spec

I've been recently working on tooling to improve visibility of internal + Open Source projects at https://dmd.tanna.dev/ and have just integrated deps.dev into my tooling, and noticed a bug.

For instance, when trying to resolve https://pypi.org/project/cryptography/2.7/ via the API, you'll notice that it fails unless we add the .0 suffix

% curl https://api.deps.dev/v3alpha/systems/PYPI/packages/cryptography/versions/2.7 -i
HTTP/2 404
content-type: application/grpc
grpc-status: 5
grpc-message: version not found
x-envoy-upstream-service-time: 9
strict-transport-security: max-age=2592000; includeSubDomains
content-length: 0
date: Fri, 14 Apr 2023 18:05:56 GMT
server: envoy
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

% curl https://api.deps.dev/v3alpha/systems/PYPI/packages/cryptography/versions/2.7.0 -i
HTTP/2 200
content-type: application/json
x-envoy-upstream-service-time: 13
strict-transport-security: max-age=2592000; includeSubDomains
grpc-status: 0
grpc-message:
content-length: 324
vary: Accept-Encoding
date: Fri, 14 Apr 2023 18:06:00 GMT
server: envoy
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"versionKey":{"system":"PYPI","name":"cryptography","version":"2.7.0"},"isDefault":false,"licenses":["non-standard"],"advisoryKeys":[{"id":"GHSA-hggm-jpg3-v476"},{"id":"GHSA-w7pp-m8wf-vj6r"},{"id":"GHSA-x4qr-2fvf-3mr5"},{"id":"PYSEC-2021-62"}],"links":[{"label":"SOURCE_REPO","url":"[https://github.com/pyca/cryptography"}]}%](https://github.com/pyca/cryptography%22%7D]%7D%)     

However, this shouldn't be required, as the version itself is set to 2.7.

I've been tracking this issue in my project in https://gitlab.com/tanna.dev/dependency-management-data/-/issues/74, if that's of use.

Would it be possible to query the dependents of a particular package using the API? The info is available on the deps.dev website (e.g. https://deps.dev/maven/org.apache.logging.log4j%3Alog4j-core/2.20.0/dependents ). Currently, it seems like the API has support for fetching the dependency graph, but I'm wondering if the dependent data could also be exposed.

Thanks!

Hi y'all, I work on Google Cloud's confidential computing and am particularly focused on security the software supply chain. I'm interested in protecting customers from Google as computer operators, and not the other way around, i.e., end user device DRM.

I'm here to ask about collaboration on standards for the deps.dev API to participate in a federated future.

The IETF has a few work streams that all synergize to make the entirety of a VM's firmware, OS, middleware, and application stack remotely attestable (RATS for remote attestation, and WIMSE for workload identity) in a manner such that every digest can be tied back to the source bits and builder container (SCITT).

The sigstore.dev project allows software vendors to tie their build provenance to a trusted append-only log for authentication and non-repudiation. This log combined with the carrier format of build provenance in https://slsa.dev is a potential implementation of SCITT. Microsoft's CACM article "Why should I trust your code?" describes a Code Transparency Service that is also a potential implementation.

Whereas SLSA uses in-toto attestations that can be rather bulky, the IETF RATS working group is proposing concise representations in the form of CWT for attestation tokens representing checked claims and CoRIM for software digests and endorsed claims of their properties.

All of the RATS draft specifications are getting co-designed with reference implementations in the github.com/veraison project. The primary software outside of parsers is the Verifier. There is a provisioning service that allows reference value providers to inform the Verifier of values, but it's not designed to be database that cooperates with other verifier implementations

I see deps.dev as a potential implementation of a reference value service. I also don't think that deps.dev should be a monolith. Instead we can have multiple providers operating within the fediverse. The working group has only focused on the carrier format for endorsements and reference values (CoRIM), but to be truly successful I think that all the elements of productionizing the components conceptualized in RFC9334 should be available as open source projects.

I invite y'all to come on over to https://datatracker.ietf.org/wg/scitt and https://datatracker.ietf.org/wg/rats for discussions so we can converge on a happy open ecosystem where we can all make software more provably secure in real systems.

Hi! Is there a rate limit for api.deps.dev?

I noticed that Microsoft.Azure.Storage.Common was not indexed. https://www.nuget.org/packages/Microsoft.Azure.Storage.Common/

Wondering if there's a particular reason. Thank you!