Software Packages

[jon-nfc]

Add to the ITAM module, software package details for use with the software component.

Use Case

Being able to determine the package details of an application is paramount to being able to manage it. in addition to this once the package details are known, automations can then be used to fetch this information from ITAM to use.

Details

Add a child component for use with the Software component called software package. the fields for the module could be:

• id Primary Key
• type Package type, choice apt|docker|pypi|git|ansible
• url url of package

Package Types

It's desirable that the package types can have the information fetched from a publicly accessible endpoint.

• docker provides an API endpoint for containers https://docs.docker.com/docker-hub/api/latest/#tag/repositories
• pypi provides an API for packages curl --header 'Accept: application/json' https://pypi.org/pypi/<package name>/json | jq
• git Both gitlab and github provide an API for repository access.

Package API Requests

For package services that provide an API endpoint, fetching of the details from it is desired as this provides means for the available versions to be automagically updated. Further features could also be added for example to provide information/feedback on installed versions that can be updated.

Links

• Blocks Software Vulnerabilities #3

• Blocks: deploy service to cluster #125

• Blocked By: API Browser #58

• Blocked By: dockerhub api browser #131

• Blocked By: PyPi API Browser #132

• Blocked by: artifacthub api browser #141

• Related: Deploy device software updates if available #85

• Related: Licence Management #4

• Related: Additional status icons on Devices page centurion_erp_ui#8

• Related OSV API browser #130

• Related Storing of API Credentials #138

• Reference: Container Images artifacthub/hub#1685 (comment)

• Reference: OCI Container spec: https://github.com/opencontainers/distribution-spec/blob/main/spec.md

Tasks

• Check APIs for each package type
  • ensure api checks are compliant with rate-limiting

Features

• Fetch packages versions and add them to as a new software version

  • Docker

  • PyPi

  • git

    • Gitlab
    • Github

  • Ansible

    • Ansible Collection
    • Ansible Role

  • Helm Charts (Cluster Management #71 Service Management #69 )

• be able to schedule Package checks for new versions

• Information links are added to software

  • Documentation
  • Homepage
  • issue/bug reporting url

• Each package manager to be usable with the relevant ansible module

Requirements

• Respects rate limiting for API access

• Outbound webhooks

  • On new version
  • On finding a vulnerability

[jon-nfc]

added 3m of time spent

[jon-nfc]

added 12m of time spent

[jon-nfc]

@jasonpagetas any ideas for this feature?

[jon-nfc]

added 42m of time spent

[jon-nfc]

added 1m of time spent