Cross reference a whitelist of packages to a vulnerability database

Search for package names for vulnerability information and selectively drop packages or define specific versions that should not be used in a curated repository.

Usage

create_xref_whitelist(packages, ecosystem, output_format = NULL)

Arguments

packages: Character vector of package names.
ecosystem: Character vector of ecosystem(s) within which the package(s) exist.
output_format: Type of output to create (default is NULL for a data.frame).

Value

A data.frame or character vector containing cross-referenced packages.

Details

Note that some version suffixes may have compatibility issues. For example, the use of *-git as a suffix may not be recognized and may need to be dropped. For more details on PyPI package version naming see https://peps.python.org/pep-0440/.

Due to variations in formatting from the OSV API, not all responses have versions associated and are not directly compatible with this function.

Although the default output is a data.frame, for PyPI packages a requirements.txt format can be created that defines which versions should not be allowed based upon the cross-referencing performed. This can be useful when curating repositories in Posit Package Manager.

Examples

if (FALSE) { # interactive()

# Return xref dataset for CRAN package selection
cran_pkg <- c('readxl', 'dplyr')
cran_xref <- create_xref_whitelist(cran_pkg, ecosystem = 'CRAN')

# Create a requirements.txt with excluded versions
python_pkgs <- c('dask', 'aaiohttp', 'keras')
xref_pkg_list <- create_xref_whitelist(python_pkgs,
                                       ecosystem = 'PyPI',
                                       output_format = 'requirements.txt')
file_name <- file.path(tempdir(), 'requirements.txt')
writeLines(xref_pkg_list, file_name)

# Clean up
try(unlink(file_name))
}