Hey there, this is a fantastic and ambitious project, I love it!
It would really help me, as a person working on supply chain security, to be able to also gather information (when available) on the original source of a given dependency. For example, did a .jar come from Maven Central, Google's Maven repo, or a Gradle plugin repo? Did a JS package come from JSR or NPM? Same for things that would come from GitHub/etc Packages or releases, arbitrary URLs, local paths, etc.
This information helps to detect or prevent dependency confusion attacks, or to help address some rare issues where a project is compromised, but only in one location.
Hey there, this is a fantastic and ambitious project, I love it!
It would really help me, as a person working on supply chain security, to be able to also gather information (when available) on the original source of a given dependency. For example, did a
.jarcome from Maven Central, Google's Maven repo, or a Gradle plugin repo? Did a JS package come from JSR or NPM? Same for things that would come from GitHub/etc Packages or releases, arbitrary URLs, local paths, etc.This information helps to detect or prevent dependency confusion attacks, or to help address some rare issues where a project is compromised, but only in one location.