Skip to main content

Week 10

(Aug, 02 2024 - Aug 08, 2024)

Meeting 1

(Aug 07, 2024)

Attendees

Discussions

  • To tackle the issue with the python-packageurl tool not supporting PyPI and other registries, Gaurav suggested to try out new tools like ORT Downloader, pypi-simple and REST API for warehouse
  • Talked about tagging and releasing the fossology-action after renaming it to something like FOSSOps

Work Done

  • Completed the Github Action for generating SBOMs for python packages. Their are four ways in which we can create an SBOM:
    • From Python Virtual Environment: cyclonedx-py environment
    • From Pipfile and Pipfile.lock: cyclonedx-py pipenv
    • From pyproject.toml and poetry.lock: cyclonedx-py poetry
    • From requirements.txt file: cyclonedx-py requirements
  • Currently the actions looks for these files in the root folder of the repo from where the action is triggered. In future releases, new features like custom path for the file, creating BOMs in xml foramt etc. can be provided.
  • It creates Software Bill of Materials in cyclonedx format.
  • BOMs are saves in a directory called sbom and for each language, currently python, the bom file is appended with the language specific identifier. For example, for python files, the bom file will sbom_py.json.
  • After we have the bom file, we can provide a new cli flag to fossologyscanner that will take these sbom files, download the project dependecies listed in them, scan them using fossology scanners (nomos, ojo etc) and spit out the results.
  • Started working on the new feature in fossologyscanner

Planning for next week

  • Figure out the method for getting the package metadata after trying out different approaches.
  • Work on successfully downloading and scanning the packages once finalized.
  • Keep an eye on making the code modular in order for easy integration of other language specific actions.