|
|
|
|
|
|
by tsteenbe
2358 days ago
|
|
|
> A trivial solution would be to create a crowd-sourced dependency vetting platform. Such a platform is already being developed by various organizations, see https://clearlydefined.io/about and it already in use by GitHub. It's still under development and the initial focus is sharing data regarding copyrights, licenses and source code location for OSS packages. Note that ClearyDefined only scans the code repository of OSS project it does not resolve dependencies for scanned OSS project. This makes sense as not all dependencies of OSS project B are inherited by a project A which included B as a dependency (due to dependency version resolution by the package manager or dependencies only used for testing). The idea is that you will us an tool to resolve dependencies for the package manager your project uses which then queries the ClearyDefined APIs. We are building such a tool as an open source project to manage of licensing and security for dependencies named OSS Review Toolkit (https://github.com/heremaps/oss-review-toolkit). For a overview of the solution we are building see slide 9 in https://static.sched.com/hosted_files/ocs19/c7/OSS-Review-To... Full disclosure: I am one of the maintainers of OSS Review Toolkit and also a contributor to ClearlyDefined. |
|
|