feat: Implement Hex Enumerable Ecosystem #4271
Conversation
|
Thanks for the PR! Can I ask whether there's a specific use case for enumerating versions? We generally don't enumerate versions for ecosystems with SEMVER type versions, as they are easily comparable. We are happy to look into supporting enumerating versions for SEMVER types if there's a good use case, though it would require a bit of work. |
|
@another-rex The primary intent behind this change was to bring feature parity to non-EEF source reports. EEF provides a list of versions with the OSV data, but others like GHSA do not. Additionally, having the versions pre-resolved makes the implementation with some tooling that we're planning simpler. Essentially I can join OSV information taken from an OSV dump, upsert it into a DB table and I have all the information for a join to a release. If we need to evaluate the events, that is some extra work that we need to do outside the DB / at runtime. This use case can however be implemented as well with some extra work if OSV does not wish to include this change. Is there any downsides to adding this? |
2 participants
Should provide detailed version list for data sources like GHSA.
Example: https://osv.dev/vulnerability/GHSA-9fm9-hp7p-53mf
Uses the
/packages/{package}HEX API. Spec: https://github.com/hexpm/specifications/blob/72dc140b8766f687869d3265c88a6725021cdbc1/apiary.apib#L428