I'm thinking of building an open-source tool to scan the .NET/JS/TS dependencies of a project for whitelisted licenses, specific packages and versions that should (not) be used. Would that be useful? - ThreadSky

About ThreadSky

dennisdoomen.com • 30 days ago

I'm thinking of building an open-source tool to scan the .NET/JS/TS dependencies of a project for whitelisted licenses, specific packages and versions that should (not) be used. Would that be useful?

Comments

hvr.endj.in•30 days ago

Have you seen https://github.com/patriksvensson/covenant

hvr.endj.in•30 days ago

We used it to implement OpenChain across all our IP estate
https://endjin.com/blog/2023/08/implementing-the-openchain-specification

dennisdoomen.com•30 days ago

That's kind of what I was thinking, but I need a lot more.

hvr.endj.in•30 days ago

It's really easy to extend. We have a branch that supports python packages

hvr.endj.in•30 days ago

Plus the SBOM tool ecosystem has exploded in the last couple of 9

hvr.endj.in•30 days ago

*years

sabotageandi.bsky.social•30 days ago

Have a lookbat CycloneDX for generating SBOMs and DependencyTrack for policy management.

dennisdoomen.com•30 days ago

I don't care too much about SBOMs (as GitHub offers those as well), but more about controlling the dependencies.

b33rdy.bsky.social•30 days ago

Does @owasp.org’s Dependency-Track do something similar using their policy and audit features? All based on SBOMs.

demobytom.bsky.social•30 days ago

I built such functionality as part of a build pipeline for several .NET solutions at my old company. But in each case, it was my initiative to add it because "management" did not really see value in it. Mostly because "who cares. Clients don't verify it anyway"...

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply