Here’s a hypothetical scenario at a company: We have 2 repos that builds and deploys code as tools and libraries for other apps at the company. Let’s call this lib1
and lib2
.
There’s a third repo, let’s call it app
, that is application code that depends on lib1
and lib2
.
The hard part right now is keeping track of which version of lib1
and lib2
are packaged for app
at any point in time.
I’d like to know at a glance, say 1 month ago, what versions of app
is deployed and what version of lib1
and lib2
they were using. Ideally, I’m looking for a software solution that would be agnostic to any CI/CD build system, and doubly ideally, an open source one. Maybe a simple web service you call with some metadata, and it displays it in a nice UI.
Right now, we accomplish this by looking at logs, git commit history, and stick things together. I know I can build a custom solution pretty easily, but I’m looking for something more out-of-the-box.
The metadata you want is called a Software Bill of Materials, and there are a range of tools for generating them. Some generic ones include Trivy and Grype, but you may also find some for your language ecosystem by Googling ’ + SBOM’.
One tool you can use to view these versions with a web UI is OWASP Dependency-Track.
All of the tools mentioned and linked above are F/OSS.