search

opensource-observer / oso

Measuring the impact of open source software
https://opensource.observer
Apache License 2.0
74 stars 16 forks source link

Validate npm package ownership #2459

Open ccerv1 opened 2 weeks ago

ccerv1 commented 2 weeks ago

What is it?

Using Rust as an example, but this is also the case for NPM...

The SBOM data tells us the name of the Rust package. Now we need to ping the Crates API to look up the GitHub repo that maintains the package. We need to write the Crates collector and then an intermediate model for linking packages to repos. Finally, we should have another model that sees if these artifacts have already been claimed by a project in OSS Directory (and if not we can have a list of popular packages that are unclaimed)

ryscheng-mobile commented 2 weeks ago

Rescoping this down to npm.

Please use separate issues for each line of work. The rust one was filed a couple weeks ago https://github.com/opensource-observer/oso/issues/2381