Pablohn26
commented
1 year ago automatecompliance.org is a Linux Foundation project focused on this issue. Here is a list of projects that deal with it. ScanOSS is another one.
Open jsmanrique opened 3 years ago
Pablohn26
commented
1 year ago automatecompliance.org is a Linux Foundation project focused on this issue. Here is a list of projects that deal with it. ScanOSS is another one.
BOM or SBOM (Software Bill of Materials) are becoming a fundamental piece to understand a project and its dependencies (i.e. check latest Executive Order on Improving the USA’s Cybersecurity ). There are several tools to produce SBOM files like CycloneDX, OSS Review Toolkit or formats like SPDX that include information about dependencies source code repositories.
Wouldn't it be nice to have support for 2-3 SBOM formats as "project" definition to save users time to define the analytics project?
Cauldron project is working to support it, starting by supporting just a file with a list of repositories (see Cauldron issue #685)
From the users experience point of view, users shall be able to submit a file that would be parsed to generate a new project fro the list of repositories identified. Some information about "valid" repos found might be useful.
In the future, another way to implement it would be to build the SBOM from the information existing in a given repository (from the mvn, packages.json, or similar files). AFAIK OSS Review Toolkit is able to produce such file from a given repository