-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group non-package files together for analysis and reporting purposes #914
Comments
@DennisClark Could you clarify the following:
There's no concept of Product in the ScanCode.io context, the Pipelines/Scans are regrouped by "Analysis projects". |
@tdruez I guess that we would have to use the scancode.io project name for the Name, and we don't have any value for the version field. |
but the best solution would be to add the concept of Product (product name + product version) to SCIO to improve integration, ultimately, with other applications. |
In the big picture we need to be sure that we fully support reporting of first-party code, especially first-party code that has a copyright or license notice. |
let's go with this: |
alternative value for "Name": a UUID |
Let's go with this: the rest of the PURL is probably null |
Let's go with this: the rest of the PURL is probably null |
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
Signed-off-by: Thomas Druez <tdruez@nexb.com>
PR #927 merged in main. The "local-files" packages are now created as part of the d2d pipeline. |
If possible and practical, I think that this new feature should be expanded to include these pipelines (and possibly others):
|
Scan results are currently focused on packages, but in a typical product codebase there are lots of files that are not (or no longer) associated with packages, and these files may be very important from a license compliance perspective. Some cases include:
These miscellaneous files are currently difficult to analyze in the product codebase scan results, especially when there are lots of them, and they are not always being included in attribution and SBOM outputs.
Consider grouping these miscellaneous files into "local" packages (or "custom", "virtual", "logical", "file_set" packages), perhaps combining them by license_expression. It may also make sense to define these using the PURL convention; consider:
Type: "local" (or some other descriptive label that distinguishes them from standard packages)
Namespace: the name of the product codebase
Name: the common license_expression for the group of files
Version: the version of the product codebase
Qualifiers: optional, most likely null
Subpath: optional, most likely null
The primary advantage of creating "local" packages in the scan results are:
I prefer the term "local" for the PURL Type value, but this is of course open to discussion.
The text was updated successfully, but these errors were encountered: