diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md index 962ae5dc9d1c..d7a3ac788945 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md @@ -45,12 +45,12 @@ For more information about configuration of the dependency graph, see "[AUTOTITL ## Dependencies included -The dependency graph includes all the dependencies of a repository that are detailed in the manifest and lock files, or their equivalent, for supported ecosystems, as well as any dependencies that are submitted using the {% data variables.dependency-submission-api.name %}. This includes: +The dependency graph includes all the dependencies of a repository that are detailed in the manifest and lock files, or their equivalent, for supported ecosystems, as well as any dependencies that are submitted using the {% data variables.dependency-submission-api.name %} (beta). This includes: -* Direct dependencies, that are explicitly defined in a manifest or lock file or have been submitted using the {% data variables.dependency-submission-api.name %} +* Direct dependencies, that are explicitly defined in a manifest or lock file or have been submitted using the {% data variables.dependency-submission-api.name %} (beta) * Indirect dependencies of these direct dependencies, also known as transitive dependencies or sub-dependencies -The dependency graph identifies indirect dependencies{% ifversion fpt or ghec %} only if they are defined in a lock file or have been submitted using the {% data variables.dependency-submission-api.name %}. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}. If your ecosystem does not have lock files, you can use pre-made actions that resolve transitive dependencies for many ecosystems. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)." +The dependency graph identifies indirect dependencies{% ifversion fpt or ghec %} only if they are defined in a lock file or have been submitted using the {% data variables.dependency-submission-api.name %} (beta). For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}. If your ecosystem does not have lock files, you can use pre-made actions that resolve transitive dependencies for many ecosystems. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)." For more information on how {% data variables.product.product_name %} helps you understand the dependencies in your environment, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)." @@ -115,7 +115,7 @@ The recommended formats explicitly define which versions are used for all direct {% endnote %} -You can use the {% data variables.dependency-submission-api.name %} to add dependencies from the package manager or ecosystem of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. {% data reusables.dependency-graph.dependency-submission-API-short %} +You can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies from the package manager or ecosystem of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. {% data reusables.dependency-graph.dependency-submission-API-short %} You will only get {% data variables.product.prodname_dependabot_alerts %} for dependencies that are from one of the [supported ecosystems](https://github.com/github/advisory-database#supported-ecosystems) of the {% data variables.product.prodname_advisory_database %}. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md index ffe34e3c54be..b224231af62f 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md @@ -54,7 +54,7 @@ Any direct and indirect dependencies that are specified in the repository's mani {% endif %} {% ifversion dependency-graph-repository-view-update %} -Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted.{% elsif ghes %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %}, although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies.{% else %}{% endif %} For more information on using the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta), although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies.{% else %}{% endif %} For more information on using the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}. diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md index 764a428779d1..59661c724461 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md @@ -25,7 +25,7 @@ The dependency graph automatically includes information on dependencies that are The dependency graph doesn't automatically include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile. -However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +However, you can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." **Check**: Is the missing dependency for a component that's not specified in the repository's manifest or lockfile? @@ -33,7 +33,7 @@ However, you can use the {% data variables.dependency-submission-api.name %} to The dependency graph analyzes manifests as they’re pushed to {% data variables.product.prodname_dotcom %}. The dependency graph doesn't, therefore, have access to the build environment of the project, so it can't resolve variables used within manifests. If you use variables within a manifest to specify the name, or more commonly the version of a dependency, then that dependency will not automatically be included in the dependency graph. -However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +However, you can use the {% data variables.dependency-submission-api.name %} (beta) to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." **Check**: Is the missing dependency declared in the manifest by using a variable for its name or version? diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md index 1622db9a63b7..4fbf90060849 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md @@ -13,6 +13,8 @@ versions: ghec: '*' --- +{% data reusables.dependency-submission.dependency-submission-api-beta %} + ## About the {% data variables.dependency-submission-api.name %} {% data reusables.dependency-submission.about-dependency-submission %} diff --git a/content/rest/dependency-graph/dependency-submission.md b/content/rest/dependency-graph/dependency-submission.md index cacded936fde..de193331d97d 100644 --- a/content/rest/dependency-graph/dependency-submission.md +++ b/content/rest/dependency-graph/dependency-submission.md @@ -12,6 +12,8 @@ autogenerated: rest ## About dependency submissions +{% data reusables.dependency-submission.dependency-submission-api-beta %} + {% data reusables.dependency-submission.about-dependency-submission %} You can submit dependencies in the form of a snapshot. A snapshot is a set of dependencies associated with a commit SHA and other metadata, that reflects the current state of your repository for a commit. You can choose to use pre-made actions or create your own actions to submit your dependencies in the required format each time your project is built. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." diff --git a/data/reusables/dependabot/about-the-dependency-graph.md b/data/reusables/dependabot/about-the-dependency-graph.md index 5eeb3f69dda0..9f0afb0c2fa3 100644 --- a/data/reusables/dependabot/about-the-dependency-graph.md +++ b/data/reusables/dependabot/about-the-dependency-graph.md @@ -1,4 +1,4 @@ -The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the {% data variables.dependency-submission-api.name %}. For each repository, it shows{% ifversion fpt or ghec %}: +The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the {% data variables.dependency-submission-api.name %} (beta). For each repository, it shows{% ifversion fpt or ghec %}: * Dependencies, the ecosystems and packages it depends on * Dependents, the repositories and packages that depend on it{% else %} dependencies, the ecosystems and packages it depends on.{% endif %} diff --git a/data/reusables/dependency-graph/dependency-submission-API-short.md b/data/reusables/dependency-graph/dependency-submission-API-short.md index f14316eda0b6..955fb919cff9 100644 --- a/data/reusables/dependency-graph/dependency-submission-API-short.md +++ b/data/reusables/dependency-graph/dependency-submission-API-short.md @@ -1,5 +1,5 @@ {% ifversion dependency-graph-repository-view-update %} -Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted. +Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta) will show which detector was used for their submission and when they were submitted. {% elsif ghes %} The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files. {% else %}{% endif %} diff --git a/data/reusables/dependency-review/works-with-submission-api-beta.md b/data/reusables/dependency-review/works-with-submission-api-beta.md index a7d5302a7b7e..59360fb04ae5 100644 --- a/data/reusables/dependency-review/works-with-submission-api-beta.md +++ b/data/reusables/dependency-review/works-with-submission-api-beta.md @@ -1,4 +1,5 @@ {% note %} -**Note:** The dependency review API and the {% data variables.dependency-submission-api.name %} work together. This means that the dependency review API will include dependencies submitted via the {% data variables.dependency-submission-api.name %}. +**Note:** The dependency review API and the {% data variables.dependency-submission-api.name %} work together. This means that the dependency review API will include dependencies submitted via the {% data variables.dependency-submission-api.name %}. This feature is currently in public beta and subject to change. + {% endnote %} diff --git a/data/reusables/dependency-submission/dependency-submission-api-beta.md b/data/reusables/dependency-submission/dependency-submission-api-beta.md new file mode 100644 index 000000000000..b4246765bb65 --- /dev/null +++ b/data/reusables/dependency-submission/dependency-submission-api-beta.md @@ -0,0 +1,5 @@ +{% note %} + +**Note:** The ability to use the REST API for dependency submission is currently in public beta and subject to change. + +{% endnote %} diff --git a/data/reusables/dependency-submission/dependency-submission-link.md b/data/reusables/dependency-submission/dependency-submission-link.md index 82431bf45ddf..63f4d25cc108 100644 --- a/data/reusables/dependency-submission/dependency-submission-link.md +++ b/data/reusables/dependency-submission/dependency-submission-link.md @@ -1,2 +1,2 @@ -Additionally, you can use the {% data variables.dependency-submission-api.name %} to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis. -{% ifversion dependency-graph-repository-view-update %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted.{% elsif ghes %} The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files.{% else %}{% endif %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)." +Additionally, you can use the {% data variables.dependency-submission-api.name %} (beta) to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis. +{% ifversion dependency-graph-repository-view-update %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes %} The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files.{% else %}{% endif %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."