Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.

Andrew Nesbitt

Every tool that makes automated decisions about dependencies has invented its own policy format. After surveying ~40 tools (cargo-deny, Snyk, Trivy, Grype, OSV-Scanner, LicenseFinder, and more), the author finds a chaotic landscape spanning TOML, YAML in ten different schemas, XML, JSON, Rego, Kotlin scripts, and proprietary web UIs — all expressing the same concepts (license allowlists, CVE ignores, package bans) in incompatible ways. While standards like PURL, CycloneDX, SPDX, and OSV exist for describing software components, there is no standard for writing rules about them. The EU Cyber Resilience Act increases the urgency of this gap. The author outlines what a unified dependency policy standard might cover — license rules, vulnerability ignores with expiry dates, package bans, severity thresholds, and scoping — and calls for collaboration to design one rather than adding yet another proprietary format.

The Fragmented World of Dependency Policy