The complexities of identifying and tracking open-source software (OSS) to comply with license requirements adds friction to the development process and can result in product-release delays. At VMware, we solve this problem using Bazel to create an accurate bill of materials containing OSS and third-party packages during a build.
Some dependencies cannot be processed by oss_audit because they lack metadata. We currently skip these dependencies which prevent them from appearing in the BOM yaml.
It would be helpful to have additional DEBUG messages that print the skipped target dependencies. This will give us an idea of what was left out of our generated BOM and what we may want to fix to get them included.
Or the rule could generate an additional output like target.bom-skipped.yaml
Some dependencies cannot be processed by
oss_auditbecause they lack metadata. We currently skip these dependencies which prevent them from appearing in the BOM yaml.It would be helpful to have additional DEBUG messages that print the skipped target dependencies. This will give us an idea of what was left out of our generated BOM and what we may want to fix to get them included.
Or the rule could generate an additional output like
target.bom-skipped.yaml