DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.67k stars 574 forks source link

OSS License Retrieval #4078

Open setchy opened 2 months ago

setchy commented 2 months ago

Current Behavior

Issue created from slack discussion: 🧵 https://owasp.slack.com/archives/C6R3R32H4/p1722448587291769

OSS License needs to be within the uploaded BOM file.

Proposed Behavior

Enhance DTrack to have a system/event workflow which would take a projects components and enrich them with LICENSE data based on the purl?

This would centralize license component enrichment within DTrack vs having the license lookup/enrichment "step" as part of my CI/CD BOM-generation pipeline (both for performance and consistency). Once in DTrack, we then have a suite of License Violation Policies for our needs.

Checklist

gbonnefille commented 2 months ago

I fully agree with the consistency issue.

Currently, I'm working with SBOM produced by container analysis. Naturally, the license is extracted from the packaging system. But the information stored in the packaged can be wrong or approximative. For example, some package are reported as "BSD" without any more precision and, of course, the license is not found...

Having a post processing allowed to override the incoming information could be useful.