ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

Integration / Alignment with CDXGen

Open mkurzman opened this issue 1 year ago • 2 comments

Hi, it seems the development activities for https://github.com/CycloneDX/cdxgen were intensified in 2023 and ongoing. Is there a way to collaborate / align to use the benefits of CDXGen and join forces in cases where Package Managers or setup are not supported by the ORT analyzer yet? Marcel

mkurzman avatar Feb 14 '24 20:02 mkurzman

I would be happy to support this. Please also consider:

  • blint - A new sbom and linting tool for binaries
  • depscan - A nextgen SCA tool

prabhu avatar May 31 '24 10:05 prabhu

Thanks @prabhu for your offer to help. I believe it would be beneficial to first understand more about the capabilities of the different tools, maybe also not limited to ORT and CDXGen.

Which brings me back to a long-standing wish of mine to have a service that takes some Git repository to analyze / scan, runs various SCA / SBOM tools on it, and compares the results.

Something like a Jenkins instance hosted by a "neutral" party would work for that, where we run jobs from Jenkinsfiles that are hosted in some Open Source repository that people can contribute to. Maybe we should reach out to Linux Foundation (ACT, OpenChain) or OWASP to check whether they would be willing to host such an instance.

sschuberth avatar May 31 '24 11:05 sschuberth