Dependency Tracking Is Hard
4 days ago
- #dependency-management
- #libcurl
- #curl
- curl and libcurl are written in C and are low-level components used in many software systems.
- They are not part of any specific software ecosystem like npm, go, rust, or python.
- Package URLs (PURLs) cannot specify curl or libcurl as they are not part of an ecosystem.
- SBOM generators and scanners often miss libcurl because it's not listed by package managers.
- It's difficult for tools to track libcurl's dependencies as they are also outside standard ecosystems.
- libcurl and curl are often bundled with operating systems, making them seem part of the OS.
- Most dependency trackers stop at the layer above curl/libcurl, missing their usage details.
- GitHub lists only one dependent repository for curl, which appears to be a mistake.