Minor SBOM output updates #785
Comments
We can, but keep in mind this module does not have any external dependencies on purpose for re-usability. I'm not sure introducing a toolkit dependency is the best way to handle this. Ideally, this library should be common to the toolkit and SCIO so we only import from one place that would have the proper version.
We could, but we should start by not including the resources in the short term.
Can you clarify "project details"? Also please provide examples of the expected filenames. |
Yeah, that would be best. In the short term we can just make this version correct then.
Yeah that could be default too, in the short term.
For examples we have the filename as |
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Some suggestions that came up in a discussion with @pombredanne, please correct me if I got it wrong:
SPDX:
We have the SPDX license list version declared here: https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/spdx.py#L33 and it is
3.18, but in the latest version we havescancode-toolkit32.0.4and the spdx license list version is3.20and soon3.21with nexB/scancode-toolkit#3437Ideally we should import this license list version number from this here: https://github.com/nexB/scancode-toolkit/blob/develop/src/scancode_config.py#L147 and not set this in scancode.io
SPDX output includes file details for all resources and this makes the output file really large. We should probably add a settings option in the menu to not add the file details in the SPDX output?
Cyclonedx:
See https://cyclonedx.org/specification/overview/#recognized-file-patterns
We currently have the filename as
*.bom.jsonbut this should be*.cdx.json(or just bom.json, but we want the project details in the filename too)The text was updated successfully, but these errors were encountered: