This is why several German automotive OSPOs are working together to build OSS Review Toolkit (ORT) - it kinda glues various open source tools like ScanCode but adds features like the ability to manually correct findings…
> Do HN got a recommendation for other CLI based SBOM generators? Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also the lead of the SPDX Defects/Security Profile).…
Good catch I missed that openCVE is Business Source License which I actually do not consider to be open source.
Are you aware of https://github.com/nexB/vulnerablecode? which offers a similar solution, is also open source and written in Python.
> It makes license scanning a doddle. As someone working in the field of license compliance (leading an Open Source Program Office) and dealing with the licensing of tens of thousands of OSS dependencies on a daily…
> A trivial solution would be to create a crowd-sourced dependency vetting platform. Such a platform is already being developed by various organizations, see https://clearlydefined.io/about and it already in use by…
If you want to do license compliance for various package managers then I recommend you checkout https://github.com/heremaps/oss-review-toolkit. Full disclosure: I am one of the maintainers of OSS Review Toolkit.
This is why several German automotive OSPOs are working together to build OSS Review Toolkit (ORT) - it kinda glues various open source tools like ScanCode but adds features like the ability to manually correct findings…
> Do HN got a recommendation for other CLI based SBOM generators? Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also the lead of the SPDX Defects/Security Profile).…
Good catch I missed that openCVE is Business Source License which I actually do not consider to be open source.
Are you aware of https://github.com/nexB/vulnerablecode? which offers a similar solution, is also open source and written in Python.
> It makes license scanning a doddle. As someone working in the field of license compliance (leading an Open Source Program Office) and dealing with the licensing of tens of thousands of OSS dependencies on a daily…
> A trivial solution would be to create a crowd-sourced dependency vetting platform. Such a platform is already being developed by various organizations, see https://clearlydefined.io/about and it already in use by…
If you want to do license compliance for various package managers then I recommend you checkout https://github.com/heremaps/oss-review-toolkit. Full disclosure: I am one of the maintainers of OSS Review Toolkit.