Build Event for external dependencies used in the invocation #23933
Labels
team-ExternalDeps
External dependency handling, remote repositiories, WORKSPACE file.
type: feature request
untriaged
Description of the feature request:
When troubleshooting past invocations, it might be useful to know which dependencies were used in the invocation: information like which version was used, any override was applied, which URL was it downloaded from with what checksum etc...
Which category does this issue belong to?
No response
What underlying problem are you trying to solve with this feature?
By sending a build event with this information, the BES implementation could help developer identify issues a bit more easily. We can also leverage the build events for downstream supply chain security keeping and identify vulnerabilities faster/easier.
Which operating system are you running Bazel on?
No response
What is the output of
bazel info release
?No response
If
bazel info release
returnsdevelopment version
or(@non-git)
, tell us how you built Bazel.No response
What's the output of
git remote get-url origin; git rev-parse HEAD
?No response
Have you found anything relevant by searching the web?
The current Supply Chain Security approach is mostly oriented around using rules_license's aspect to gather the dependencies information. This works but requires additional setup on the code level.
Providing a build event based on bzlmod data would provide a much more sensible default with minimal setup needed. The tradeoff is that you will only get the dependencies information on the invocation level and not on a target level, which is fine for smaller user cases.
Any other information, logs, or outputs that you want to share?
No response
The text was updated successfully, but these errors were encountered: