Comments (12)
Somewhat depends on sonatype/ossindex-public#7 and sonatype/ossindex-public#6.
from ort.
FYI, Tidelift now also integrates with Sonatype OSS Index.
from ort.
Also see https://github.com/dotanuki-labs/gradle-bodyguard.
from ort.
There might be some issues with their terms of use that could prevent us from integration:
you may access and use the Materials solely for your internal use.
you may not [...] Analyze or use the Offering in any way that is or may be competitive with Company.
you may not [...] incorporate any portion of the Offering into any product or service [...]
you may not [...] Systematically download and store any or all of the Offering’s content.
you may not [use a] retrieval application or other manual or automatic device to retrieve, index, “scrape,” “data mine” or otherwise gather the Offering’s content [...]
from ort.
There are tools as Dependency Check, Track, MixeWay, Steady (former Vulas) which build a list of vulnerabilities with a possibility to access oss index sonatype db for free user's account.
How they cope with these constrains?
from ort.
How they cope with these constrains?
That you'd need to ask the makers of those tools 😉 My guess it that they only provide the integration, but do not use it themselves, or they have a custom deal. Of course ORT could do the same, but currently I do not feel like implementing something that we would not be able to use. And I also do not feel like encouraging our users to use a service that sounds like free on the outside, but turns out to be unusable freely when looking at the inside.
from ort.
I just learned that all data available through OSS Index is 30 days delayed. Also taking in account the limitations mentioned above, I don't believe it's meaningful for any production system to integrate with OSS Index, so I'm closing this.
from ort.
The understanding that everything is 30 day delayed is not correct. But either way, NexusIQ is a commercial tool, so if it makes sense for people to use that as an advisor given its data has even more commercial restrictions, why wouldn't OSSIndex make sense. A few of our PMs have reached out separately to discuss already, so perhaps we can close that loop there.
from ort.
The understanding that everything is 30 day delayed is not correct.
Interesting, as that statement was more or less a quote of what one of your account executives told us this week 😉
why wouldn't OSSIndex make sense.
Please see above:
you may access and use the Materials solely for your internal use.
... which means, if we'd e.g. want to demonstrate on a conference, like FOSDEM, how an ORT Advisor report based on OSS Index data would look like, that would not be possible.
you may not [...] Analyze or use the Offering in any way that is or may be competitive with Company.
... which means you may not use OSS Index data to evaluate its quality against other (commercial) providers.
you may not [...] incorporate any portion of the Offering into any product or service [...]
... which could mean that an integration into ORT is not desired / possible.
you may not [...] Systematically download and store any or all of the Offering’s content.
... which means you're not allowed to cache OSS Index data e.g. for performance reasons.
you may not [use a] retrieval application or other manual or automatic device to retrieve, index, “scrape,” “data mine” or otherwise gather the Offering’s content [...]
... which means integration into projects like VulnerableCode is not possible, as they mirror all the data (also see @pombredanne's comment here).
A few of our PMs have reached out separately to discuss already, so perhaps we can close that loop there.
Yes, I'll happily discuss the matter with them next week in the hope to find a solution.
from ort.
Reopening this as there meanwhile was a PR started from Sonatype to integrate with OSS Index.
from ort.
Maybe it makes sense to wait a bit more and make the integration work with Sonatype Lift right away.
from ort.
FYI, ORT is now also officially listed at https://ossindex.sonatype.org/integrations.
from ort.
Related Issues (20)
- Upgrade to ScanCode 32.1.0
- Failing to scan repository with FossID: Cannot deserialize value of type `java.util.LinkedHashMap<java.lang.String,java.lang.String>` HOT 8
- Failing to analyze - with Cargo failed to resolve dependencies for path 'rust-client/Cargo.toml': NoSuchElementException: Collection contains no element matching the predicate. HOT 5
- In SPDX reports, include licenseInfoFromFiles and file-level information for the scanned project itself as well HOT 5
- Add Bun as supported package manager
- Analyzer does not allow to have multiple independent projects with the same type / name / version HOT 6
- Allow extending URL prefix replacements for Git HOT 3
- Allow usage of GOPROXY variable for go module downloads HOT 10
- Enable ORT to generate CycloneDX 1.6 SBOMs HOT 1
- FileNotFoundException for some dependencies with ScanCode plugin and npm repository HOT 5
- Wrong type and provider in Request-URL for Curations from ClearyDefined
- Make further database connection (pool) parameters configurable for Postgres based storages
- best solution to scan a project separately and combine results to a final report HOT 6
- declared_license_mapping curations are not applied in git repo projects
- Make VCS plugins configurable
- PURL encoding for SwiftPM is invalid as PURL specification. HOT 1
- [BUG] Cargo: submodules and local packages are being skipped HOT 3
- tests: Turn assets into resources HOT 1
- FossID: improve the error reporting when the credentials are wrong
- FossID: Scanner option `fetchSnippetMatchedLines` should be removed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ort.