feat: flag snippets in final SCANOSS-SBOM

scanoss / sbom-workbench

The SCANOSS SBOM Workbench graphical user interface to scan and audit your source code.

https://scanoss.com/

Other

46 stars 9 forks source link

feat: flag snippets in final SCANOSS-SBOM #500

Closed lucasgonze closed 4 months ago

lucasgonze commented 2 years ago

SCANOSS does a good job of identifying snippets for examination. However, there is no trace of this fact in the final SBOM. This is essential information because it may make the file in which a snippet was included a derivative work. Per Apache 2.0 4b: "You must cause any modified files to carry prominent notices stating that You changed the files".

Ideally the SBOM would identify the original source file and files containing modifications.

francostramana commented 2 years ago

Hey @lucasgonze, thank for you feedback. I'm coming back with my pending issues. Sorry the delay.

I understand the situation but I can't figure out how the SBOM should reflect this. Do you have an SBOM example of this?

lucasgonze commented 2 years ago

I think an annotation field with type OTHER would work.

https://spdx.github.io/spdx-spec/v2.2.2/annotations/#123-annotation-type-field