Dependency maintenance intelligence: detect stale/abandoned libs, per-library threat view, deepsearch harness #28
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set
Reference
Motstandskraft/spam#28
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Goal
Detect stale / abandoned / unmaintained / archived third-party dependencies and make that a first-class input into the triage buckets — not just a passive metric. Plus, give every dependency a rich per-library view (like the npm / NuGet package page) with a threat analysis. Supported by a new long-running "deepsearch" job harness / agent so deep per-library investigation can run as a background task rather than a quick synchronous lookup.
What exists today (extend, don't duplicate)
internal/dephealthalready fetches library health metadata (activity, deprecation, stars) and producesArchivedDepCount,DeprecatedDepCount,MaxMajorBehind,MajorBehindDepCount,WorstDepHealthScore(seeassetrisk/score.go:19). Job typeFETCH_DEP_HEALTHrefreshes it (weekly, self-rescheduling).internal/manifestsparses lockfiles / package.json / etc. → the dependency graph + PURLs.asset_riskscoring: dep-health is currently a TrustScore / context input only — it never moves a triage tier (assetrisk/score.go). Today there is no per-library page and no "is the upstream repo abandoned?" signal beyond archived/deprecated flags.internal/providers/providerconfigcan reach GitHub/GitLab/Gitea source repos (encrypted PATs) — the source for commit cadence / archive status / maintainer activity.Proposed work
1. Staleness / abandonment detection
Per library (PURL or canonical package identity), compute a maintenance signal from upstream source repo + registry metadata:
stale, longer →dormant).deprecated, NuGet unlisted, etc.).Output a
dependency_maintenancerecord:{package_key, ecosystem, status: active|stale|dormant|abandoned|archived|deprecated, last_human_commit_at, last_release_at, bot_only_recent: bool, distinct_recent_authors, signals_json, computed_at}.2. Trace into triage buckets
Add maintenance fields to
assetrisk.Signals(e.g.AbandonedDepCount,StaleDepCount,BotOnlyDepCount) and decide their effect on tiers (open question below). At minimum they enrich TrustScore + context reasons; ideally an unmaintained dependency carrying a fixable CVE with no upstream activity (i.e. the fix will likely never come) is a distinct, surfaced situation in the triage detail panel. The "trace" means: from a triage bucket entry you can see which deps are dragging it down on maintenance grounds, and from a library page you can see which assets/clusters it endangers.3. Per-library view (npm / NuGet style)
A dedicated page per dependency showing:
manifests+cluster_image_inventory+ bindings) — ACL-filtered.MaxMajorBehind).4. Long-running "deepsearch" job harness / agent
A new job kind (e.g.
DEEPSEARCHorDEP_DEEPSEARCH) + harness for long-running, possibly multi-step agent investigations that don't fit the quickFETCH_DEP_HEALTHpoll:internal/runner) like other heavy jobs, with checkpointing / progress so it can run for minutes and survive worker churn (multi-replica safe via the existingSELECT … FOR UPDATE SKIP LOCKEDclaim).internal/llmadvisory) drives: pull source repo signals, read README/CHANGELOG/issues, cross-reference advisories, assess maintainer trust & abandonment, and write the structured threat analysis for the library page.Edge cases / decisions
org.opencontainers.image.sourceresolution where present; otherwise registry metadata; mark confidence.abandoned + fixable-or-KEV CVE(the "no fix is coming" case). Default off / configurable, mirroring the posture decision in #27 and escalation logic in #22.Tasks
dependency_maintenancemodel + computation (commit cadence, bot-vs-human author classification, archived/deprecated, release age) extendinginternal/dephealthproviders/providerconfig(cadence, archive status, authors)assetrisk.Signals+ decide context-vs-escalation (resolve open question)DEEPSEARCHjob kind + long-running harness (sandboxed runner, checkpoint/progress, multi-replica claim, status streaming)Relates to: #26 (per-repo audit shares dep graph + LLM plumbing), #22 (suppress a stale flag / escalation policy), #27 (context-vs-escalation precedent), #24 (
dependency.abandonedevent), #23 (expose in scan results).