2. Querying Data

OK, let's now see what data we've got.

How much data do we have?

The Renovate datasource has 56,509 rows of dependency data vs the Software Bills of Materials (SBOMs) datasource has 2,977 .

That's a bit of a difference in terms of number of rows, right?

How many repos?

There are currently 304 repositories from Renovate.

How many Components (for SBOMs)

There are currently 16 known SBOM components.

What package metadata?

The Renovate datasource has 40 package types vs the Software Bills of Materials (SBOMs) datasource has 8 .

Usage of unstable versions

There are approximately 0.12.0 unstable versions in use.

This can also be seen more visually like so:

oapi-codegen

Where is oapi-codegen used?

(This is a little bit of a biased example, as Jamie is a Core Maintainer on oapi-codegen)

Notice that it's found in Renovate data, but not in SBOMs.

golangci-lint

No Records

As above, it's present in Renovate data, but not SBOMs.

We can also surface cases where we're incorrectly source-tracking it (i.e. with tools.go or go tool) via query dmd report golangCILint, example web app report.

HTTP Frameworks

Standard library? Unfortunately no introspection 😥

But:

Go versions

Now we've looked at plain data, let's look at more interesting metadata - versions of Go

See this page

report dependenton

It's also possible to use this report to flag a usage of a package.

(This needs some work, as it currently requires you know both package_manager and package_type)

For instance, usage of oapi-codegen:

• github.com/deepmap/oapi-codegen (package_type=golang)
• github.com/deepmap/oapi-codegen (package_manager=gomod)
• (etc)

Unwanted libraries

(Audience participation)

Internal library digging

(Audience participation)

Top Terraform modules

No Records

Top Go module dependencies

Specific outdated versions

"gin … less than …"

General outdated data

(If used with RENOVATE_DRY_RUN=lookup, or RG_INCLUDE_UPDATES=true)

For golangci-lint