Package Version Checks

Note: This feature is currently in Beta and can be enabled by an OpsLevel Admin on the Admin Settings page.

Once your Software Bills of Materials are in OpsLevel, you can create checks to verify that your services use (or do not use) certain software packages and package versions.

Configuring Package Version Checks

Package Manager

Select the package manager (npm, gem, etc.) that hosts the package.

Package

Package Name

The name of the package you're creating a check for, e.g. "lodash".

Package Constraint

Dropdown list to the right of package name. Supported options are:

• Exists - Check passes if the specified package occurs in the SBOM of the service, of a repository attached to the service, or both.
• Does not Exist - Check passes if the specified package occurs neither in the SBOM of the service, nor on any attached repository's SBOM.
• Matches Version - Check passes if defined constraints on the version of the specified package are met (see below).

Version

Applies only if "Matches Version" is selected.

Supported version constraint options:

• Satisfies Version Constraint - Version constraint (e.g. "<= 1.2.3") follows the same syntax and semantics as described in the "Version Constraints" section of the Tag Defined Check.
• Matches Regex - Check passes if the version (e.g. "4.20.69") of the package matches this regular expression.
• Does not Match Regex - Check passes if the version (e.g. "1.33.7") of the package does not match this regular expression.

If one of the above three constraints is placed on a package, all instances SBOMs attached to the service and/or associated repositories must satisfy the constraint in order for the check to pass.

If the Package Does not Exist

This section only exists if you have selected "Matches Version" as the package constraint.

Select whether the check should pass or fail if the specified package is not detected on the service.