Week 3

(June 14, 2024 - June 20, 2024)

Meeting 1

(June 19, 2024)

Attendees

• Rajul Jha
• Kaushlendra
• Shaheem Azmal
• Katharina

Discussions

• Worked on adding nomos json output. But not able to access the theMatches object's licenseAndMatchPositions object. Stuck on this for nomos task.
• Bumped up spdx_tools library to latest version. Tested with both platforms (GH Actions and Gitlab).
• Discussed an issue in the github workflow, not supporting multiple architectures.
  • The GH Actions Runner does not support multi-architecture images.
  • We discussed potential solutions for the same including trying to build the image in the GH Action itself or utilizing an emulator like qemu.

Work Done

• Upgraded the spdx_tools library (#PR2762) and did performance analysis for both versions.

  • With Version 0.0.0a2:

  • With Version 0.8.2:

• Worked on providing custom keyword.conf file during CI pipeline. It works as follows:

  • User creates a custom keyword.conf file following this pattern.
  • They set an environment variable called KEYWORD_CONF_FILE_PATH in CI providers settings and set its value to the path of the keyword.conf file.
  • Then, when the pipeline is triggered, say on push to main, then the keyword scanner reads the custom file and scans for the keywords specified by the user.
  • Keep in mind that the current keyword file is overwritten by the script, as discussed with the mentors.

Planning for next week

• Test the keyword functionality with GH Actions and Gitlab CI and send out a PR for the same.
• Work on providing multi architecture support for GH Actions.
• Study about how to implement differential scans.