Open setchy opened 2 months ago
I fully agree with the consistency issue.
Currently, I'm working with SBOM produced by container analysis. Naturally, the license is extracted from the packaging system. But the information stored in the packaged can be wrong or approximative. For example, some package are reported as "BSD" without any more precision and, of course, the license is not found...
Having a post processing allowed to override the incoming information could be useful.
Current Behavior
Issue created from slack discussion: 🧵 https://owasp.slack.com/archives/C6R3R32H4/p1722448587291769
OSS License needs to be within the uploaded BOM file.
Proposed Behavior
Enhance DTrack to have a system/event workflow which would take a projects components and enrich them with LICENSE data based on the purl?
This would centralize license component enrichment within DTrack vs having the license lookup/enrichment "step" as part of my CI/CD BOM-generation pipeline (both for performance and consistency). Once in DTrack, we then have a suite of License Violation Policies for our needs.
Checklist