A component may consume 3rd party licensed elements at a more granular level than a package or library, it would be useful to be able to represent these smaller-scale dependencies in the generated SBOM.
For example, a given code file may re-use or derive its own implementation from another source. Whilst this use can be acknowledged via a comment in the affected code file and other higher level documentation, this doesn't offer a structured way to record the dependency and any licensing requirements attached to its use.
Approaches like the debian/copyright file provide a means of recording licensing requirements on a per-file basis.
Adding support to Covenant so it can understand such conventions would enable it to include the license details of these 'sub-library' dependencies.
The SPDX specification includes support for recording information at the file level which seems like it would cater for this type of scenario.
A component may consume 3rd party licensed elements at a more granular level than a package or library, it would be useful to be able to represent these smaller-scale dependencies in the generated SBOM.
For example, a given code file may re-use or derive its own implementation from another source. Whilst this use can be acknowledged via a comment in the affected code file and other higher level documentation, this doesn't offer a structured way to record the dependency and any licensing requirements attached to its use.
Approaches like the
debian/copyrightfile provide a means of recording licensing requirements on a per-file basis.Adding support to Covenant so it can understand such conventions would enable it to include the license details of these 'sub-library' dependencies.
The SPDX specification includes support for recording information at the file level which seems like it would cater for this type of scenario.