-
-
Notifications
You must be signed in to change notification settings - Fork 592
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add license attestation report #651
Add license attestation report #651
Comments
There's some work with the model that needs to be done first. The DT component model closely resembles CycloneDX itself. Some of that work is related to a CycloneDX enhancement CycloneDX/specification#43 Once this enhancement is added to the spec, DT can be updated to include an attestation API and report. |
AFAICT the CycloneDX specification is enhanced so this would now be possible to be implemented. Are there currently any plans to target this to an upcoming version? If not I might be able to do a contribution with the feature. Therefore some guidance would be needed how this should be implemented. |
@theobisproject yes, this feature is now possible. However, its not currently being worked on or targeted to any milestone. PRs would be greatly appreciated and likely the quickest way to ensure the feature gets incorporated. |
Thanks for the update @stevespringett. I then figure out if there can be made a PR for this. |
Does this pull request also handle the topic in #2018 ? I would be very interested to see that the licenses supplied by the package are also included in the CycloneDX export (https://cyclonedx.org/docs/1.4/json/#components_items_licenses_items_license_text_content) |
@andife The pull request does not handle your linked issue. This adds a separate license only export. @stevespringett Is there any plan to review the change? |
We might be able to get this into 4.10. Thoughts @nscuro ? |
Since the CycloneDX spec allows for a "licenses" attribute for each component, is there a way to include the component licenses in the BOM export? This would be really helpful instead of having to export a completely different license document. E.g. -
https://cyclonedx.org/docs/1.5/json/#components_items_licenses |
Removing from 4.10 milestone as per #2963 (comment) |
A license attestation report is a document which contains the information of OSS components used in a specific product. Usually, it identifies following information of each OSS: name, version, copyright notice, licensed under which license and the full license text.
From DT's view, I think that a specific product is represented by the project and its version combination.
This document will then be distributed with the product to fulfill the requirement of software license compliance.
It will be great to be able to download this document from DT directly.
The text was updated successfully, but these errors were encountered: