gravax
commented
2 years ago I'd also add SCANOSS ...
Closed CsatariGergely closed 1 year ago
gravax
commented
2 years ago I'd also add SCANOSS ...
LawrenceHecht
commented
2 years ago This is a very specific question, which can be a very good thing. That said, I don't think this survey should become too much about tooling. Perhaps this can replace the existing container software composition analysis question
CsatariGergely
commented
2 years ago @LawrenceHecht Question 45 already puts the same question about generic compliance tools. For us it would be very useful to see which are the "standard tools" in the industry to do container scanning. To be honest we did not find the perfect tool yet and it would be good to start an open discussion about how to do container scanning correctly. Which existing container software coposition analyzis question do you mean?
LawrenceHecht
commented
2 years ago I apologize. In 2019, we had asked "Which of the following software scanning and software composition analysis tools does your organization use?" We haven't gotten good data about this topic in the past.
@tsteenbe, as a member of the TODO Group Steering Committee, and someone who has a lot of experience dealing with this topic, do you have any suggestions? Is there a question or topic we can add about scanning that you would like to include?
anajsana
commented
1 year ago This question was not added in the 2022 OSPO survey since it was too specific on SCA tooling (something that other open-source communities like OpenChain already address in the open source compliance survey). Maybe with further discussion, it can be included in 2023 OSPO survey.
If you'd like to continue with the conversation, please open a new issue for teh 2023 survey.
A question should be added to “Part 7: Licensing, Compliance and Repos" specifically about container image scaning tools
I'm not sure about the container scanning capabilities of the tools marked with (?).