Supporting webjars and other re-packagings of software artifacts from other ecosystems

[westonsteimel]

Should re-packagings of software artifacts from other ecosystems be supported for automatic inclusion in security advisories?

As a specific example, there exists the webjars project which packages javascript packages up and makes them available on Maven for inclusion of js dependencies in a java project. It might be useful to have these automatically included on new npm advisories for which a webjars artifact exists

Continues discussions from https://github.com/github/advisory-database/pull/607

[joshbressers]

I think this would be beneficial to the current security vulnerability universe to do this. It should be acknowledged that this is not technically correct behavior, but it would help solve a very real problem in the short term.

The technically correct behavior is for various SBOM and vulnerability scanners to correctly reach inside a webjar and report the NPM findings as NPM findings, not as java findings.

However, this is not how much of the current scanners work. They will probably get there someday, but the space is still too new and there are other larger rocks to move first.

I believe this is one of those instances where doing something that isn't technically correct, but solves an existing problem makes sense.