Package discovery via commit(s) #1475
Description
I hope this is the right place to open this issue (happy to move it if not), but is there anything on the roadmap to support package lookup via a commit? Such an interface would be quite helpful in the world of vulnerability management where package/artifact mapping consumes a huge amount of human time. Maybe there isn't one api call but is such a thing possible? I took a quick scan through some of the api docs and nothing jumped out at me, but maybe I'm blind.
Some context; the world I'm envisioning is one where security reports get written and annotated with commit data. eg. security types would make statements like problem known to exist in commits X, Y, Z, etc..., problem fixed in commits A, B, C, etc... rather than expressing vulnerability information in the taxonomies of package ecosystems. Given the myriad of quirks in how packages are brought into this world it is (imo) better to ask the security types to make their expressions in terms of code and then to derive the set of artifacts which include a given commit (or set of commits). It allows for a separation of concerns between mapping and actual bug hunting and it should (🤞) scale to arbitrarily many ecosystems.
I know this cannot be perfect given the lack of provenance for many packages, but even a first order approximation would be helpful as long as the derivation method(s) is/are understood. A trusted publishing version would also be cool but, that's a separate task I think 👀