DevOps

1638 readers

1 users here now

DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle.

Rules:

Posts must be relevant to DevOps
No NSFW content
No hate speech, bigotry, etc
Try to keep discussions on topic
No spam of tools/companies/advertisements
It’s OK to post your own stuff part of the time, but the primary use of the community should not be promotional content.

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 1 year ago

MODERATORS

Ategon@programming.dev

RandomDevOpsDude@programming.dev

Is there software that tracks internal dependencies for CI/CD? (programming.dev)

submitted 1 year ago by jim@programming.dev to c/devops@programming.dev

5 comments fedilink hide all child comments

Here's a hypothetical scenario at a company: We have 2 repos that builds and deploys code as tools and libraries for other apps at the company. Let's call this lib1 and lib2.

There's a third repo, let's call it app, that is application code that depends on lib1 and lib2.

The hard part right now is keeping track of which version of lib1 and lib2 are packaged for app at any point in time.

I'd like to know at a glance, say 1 month ago, what versions of app is deployed and what version of lib1 and lib2 they were using. Ideally, I'm looking for a software solution that would be agnostic to any CI/CD build system, and doubly ideally, an open source one. Maybe a simple web service you call with some metadata, and it displays it in a nice UI.

Right now, we accomplish this by looking at logs, git commit history, and stick things together. I know I can build a custom solution pretty easily, but I'm looking for something more out-of-the-box.

you are viewing a single comment's thread
view the rest of the comments

[–] purelynonfunctional@programming.dev 1 points 11 months ago

The metadata you want is called a Software Bill of Materials, and there are a range of tools for generating them. Some generic ones include Trivy and Grype, but you may also find some for your language ecosystem by Googling ' + SBOM'.

One tool you can use to view these versions with a web UI is OWASP Dependency-Track.

All of the tools mentioned and linked above are F/OSS.