Produce a SBOM using fossa or another acceptable tool #818
Comments
|
memo:
|
|
It's reasonable. I'll use a tools to avoid licence compliance problem. I'll use FOSSA as Ryan said. @jakobmoellerdev Do you have any recommendation? I believe Red Hat has plenty of know-how. |
|
I'll ask in our OSS / Compliance department if there is anything specific we want there. Will get back here once I have an update. |
|
I asked around and got recommended https://github.com/anchore/syft which can be used for SBOM generation that will also be able to be attached to releases via automation. It should also be able to cover Licensing if I understood them correctly but didnt verify this closely. |
|
Thank you. I found syft provides licence check by calling bouncer. https://github.com/anchore/syft/blob/11c0b1c234c461825d4897273e26e37c8c5e26d5/Taskfile.yaml#L157 I'll check this tool in detail and will compare with other tools. |
|
This issue has been automatically marked as stale because it has not had any activity for 30 days. It will be closed in a week if no further activity occurs. Thank you for your contributions. |
While discussing a PR a concern was raised about license compliance this seems to be a reasonable concern and the appropriate resolution is producing a automated bill of materials
The text was updated successfully, but these errors were encountered: