Opam Dependency Submission

[smorimoto]

We've done a lot of work over the last few years to integrate the dependency submission API with opam, OCaml's official package manager. See this post for details: https://discuss.ocaml.org/t/ann-set-up-ocaml-analysis

The next thing I want to do is provide decent support for opam packages on GitHub.

It would be great to be able to publish vulnerabilities on GitHub and/or such as which repositories your library is used in!

[smorimoto]

@jonjanego

[smorimoto]

Ref: github/advisory-database#1897

[smorimoto]

Ref: https://github.com/orgs/community/discussions/19663

[jonjanego]

Thanks for filing this issue @smorimoto . Could you elaborate more on what you mean by 'provide decent support for opam packages on GitHub'?

[smorimoto]

@jonjanego I would like to add support to the OCaml packages like the npm packages have here.
We now have a collection of packages on the official site, and we would love to link to them on GitHub Dependency graph tab, and some packages have GitHub Repository info, so we would like to link to GitHub repository instead.

[smorimoto]

Hmm... Thinking about this again, it seems hard to link repositories with just the information from the purl. Another idea is that the specification of the URL of ocaml.org can be easily composited with just the information from the purl, so it would be ideal to use it?

Spec

https://ocaml.org/p/[PACKAGE NAME]/[PACKAGE VERSION]

Example

https://ocaml.org/p/dune/3.13.0

[jonjanego]

Thanks for the suggestion @smorimoto ! At this time, adding OCaml support natively into the dependency graph functionality isn't something on our roadmap, but we'll certainly keep it in mind for the future.