-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minor SBOM output updates #785
Comments
We can, but keep in mind this module does not have any external dependencies on purpose for re-usability. I'm not sure introducing a toolkit dependency is the best way to handle this. Ideally, this library should be common to the toolkit and SCIO so we only import from one place that would have the proper version.
We could, but we should start by not including the resources in the short term.
Can you clarify "project details"? Also please provide examples of the expected filenames. |
Yeah, that would be best. In the short term we can just make this version correct then.
Yeah that could be default too, in the short term.
For examples we have the filename as |
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Some suggestions that came up in a discussion with @pombredanne, please correct me if I got it wrong:
SPDX:
We have the SPDX license list version declared here: https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/spdx.py#L33 and it is
3.18
, but in the latest version we havescancode-toolkit
32.0.4
and the spdx license list version is3.20
and soon3.21
with nexB/scancode-toolkit#3437Ideally we should import this license list version number from this here: https://github.com/nexB/scancode-toolkit/blob/develop/src/scancode_config.py#L147 and not set this in scancode.io
SPDX output includes file details for all resources and this makes the output file really large. We should probably add a settings option in the menu to not add the file details in the SPDX output?
Cyclonedx:
See https://cyclonedx.org/specification/overview/#recognized-file-patterns
We currently have the filename as
*.bom.json
but this should be*.cdx.json
(or just bom.json, but we want the project details in the filename too)The text was updated successfully, but these errors were encountered: