Closed SebastianSchildt closed 1 month ago
Should we possibly as part of this PR delete the third party section in https://github.com/eclipse/kuksa.val/blob/master/NOTICE.md#third-party-content ? It is anyway out of date, right?
Wrt to NOTICE:I agree. I removed all outdated/weird content from Notice. I left the third party content section, trying to explain how you would get such informaton
I think it does not even "touch" Rust much. I suggest, if no further feedback to merge Monday
Adding @argerus as reviewer - we need to decide when we want to have "code freeze" on Databroker in this repo, and/or when we want to "remove" Databroker from this repo. If we merge it here we need to make sure that it is integrated to the new repo.
Databroker has been migrated to https://github.com/eclipse-kuksa/kuksa-databroker. Please open a new pull request in that repo.
Creates a CycloneDX Software Bill of Materials (SBOM) for the databroker. Refactor createbom so it can collect licenses from a CycloneDX input file, so it may be reused for other parts of the project as well.
This PR
Smaller fixes
Notes
I read quite a bit about SBOM generation in the RUST ecosystem and decided to go for https://crates.io/crates/cargo-cyclonedx , as this seems the most promising way. "Built-in" support in cargo may be a couple of years off, and cargo development is quite slow these days. Similarly I think we should not try to do this "ourself" by hand. By using that crate we profit from developments in that area. I verified that currently we did not loose any information compared to the "old" way.
In the future the "collectlicensefromcyclonedx.py" might be refactored to live pip-installable in kuksa-common, as it might also be used for other components, i.e. Python based ones - as long as a Cyclone SBOM is available. Not part of this PR though