Add support for overriding the upgrade policy on a per-library basis

[snicoll]

We're facing cases where a third party dependency has a different versioning scheme than the one that matches our upgrade policy.

One recent example is the Upgrade to MySQL 9.3.0 that contains a CVE fix that wasn't backported.

Usually we ask users to override the version. However, looking at their release notes, it's obvious that 9.1.0 and 9.2.0 are no longer maintained:

Version 9.3.0 is a new GA release of MySQL Connector/J. MySQL Connector/J 9.3.0 supersedes 9.2 and is recommended for use on production systems.

For cases like this, it'd be nice to configure bomr on a particular library so that it overrides the upgrade policy to use.

[Akshatvyas05]

Hi @snicoll ,

This seems like an important improvement, especially for managing third-party dependencies with non-standard versioning. I'd like to work on this—could you please assign the issue to me?

Thanks!

[wilkinsona]

Thanks for the offer, @Akshatvyas05, but I already have something for this from when @snicoll and I were discussing it and the problem with MySQL. Apologies, I should have assigned the issue to myself. I've done that now.