Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature request: Capability diff between two versions of a given Go module/package. #35

Open
mewmew opened this issue Sep 26, 2023 · 3 comments

Comments

@mewmew
Copy link
Contributor

mewmew commented Sep 26, 2023

First off, really happy to see the birth of the capslock tool as having a way to track capabilities used by transitive dependencies is key to mitigating supply-chain attacks.

One feature that would be really incredible to incorporate in capslock and associated tools is to easily diff the capabilities added/removed in between two versions of a given Go module/package.

And furthermore, make it possible to hook this functionality up to go get -u.

Imagine being able to run go get -u ./... to update packages of a Go module and having warnings be emitted for newly added capabilities of transitive dependencies.

E.g.

$ go get -u github.com/org/repo/pkg
WARNING: new capability added to `github.com/org/repo/pkg` (os/exec). Added in version 2023-09-26-githash.

Of course, neither go get nor capslock need to perform the capability diff itself, it could be a third glue tool that reads the versions (of updated dependencies) from go get -u and the json output of capabilities of capslock and prints warnings for newly added capabilities.

Once more, thanks for working to improve this space and help regain confidence in the capabilities utilized by dependencies in the open source community.

With cheerful regards,
Robin

@jcd2
Copy link
Collaborator

jcd2 commented Sep 29, 2023

Thanks! Having smooth workflows for just this kind of use-case is definitely something we're working on.

@mewmew
Copy link
Contributor Author

mewmew commented Sep 29, 2023

Thanks! Having smooth workflows for just this kind of use-case is definitely something we're working on.

Hi John,

That's wonderful to hear!

Really glad to see such an active effort towards mitigating potential supply chain attacks. It's vital for the health of the Go open source ecosystem.

With kindness,
Robin

@rata
Copy link

rata commented May 15, 2024

Hi! I'm interested on this too. Is there any WIP code for this feature available?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants