git submodules not recognized by scanner

scanoss / sbom-workbench

The SCANOSS SBOM Workbench graphical user interface to scan and audit your source code.

https://scanoss.com/

Other

47 stars 9 forks source link

git submodules not recognized by scanner #511

Closed lucasgonze closed 2 years ago

lucasgonze commented 2 years ago

Create a .gitmodules file
Add a submodule
Scan it with SCANOSS
Generate a report
The submodule will not in the report

More info: https://www.git-scm.com/docs/gitmodules

francostramana commented 2 years ago

Hi Luca, thanks again for your interest in the tool. Unfortunately this kind of feature is not yet in our plans. However, I'm deeply interested in how you think we should support this.

I'm going to close this issue but then I'll mark it to investigate if it's a feature that many people are looking for.

Please feel free to re open the issue if you want to add more information.

Regards!

lucasgonze commented 2 years ago

The question for me and OSPO colleagues is whether the license terms of submodules need to be complied with, such as by providing attribution and a copy of the license. The answer to this isn't clear. For the purpose of risk mitigation, the cautious answer is to treat submodules the same as code that is directly distributed.

In practice there's no particular difference between a package.json reference and a .modules reference.