Every tool that makes automated decisions about dependencies has invented its own policy format. After surveying ~40 tools (cargo-deny, Snyk, Trivy, Grype, OSV-Scanner, LicenseFinder, and more), the author finds a chaotic landscape spanning TOML, YAML in ten different schemas, XML, JSON, Rego, Kotlin scripts, and proprietary web UIs — all expressing the same concepts (license allowlists, CVE ignores, package bans) in incompatible ways. While standards like PURL, CycloneDX, SPDX, and OSV exist for describing software components, there is no standard for writing rules about them. The EU Cyber Resilience Act increases the urgency of this gap. The author outlines what a unified dependency policy standard might cover — license rules, vulnerability ignores with expiry dates, package bans, severity thresholds, and scoping — and calls for collaboration to design one rather than adding yet another proprietary format.
Table of contents
License policy #Vulnerability policy #Package bans #The full inventory #OPA #Existing standards #What a standard might cover #Relationship to SBOMs #Sort: