|
| 1 | +--- |
| 2 | +title: Week 10 |
| 3 | +author: Rajul Jha |
| 4 | +tags: [gsoc24, CI] |
| 5 | +--- |
| 6 | +<!-- |
| 7 | +SPDX-License-Identifier: CC-BY-SA-4.0 |
| 8 | +
|
| 9 | +SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49gmail.com> |
| 10 | +--> |
| 11 | + |
| 12 | +# Week 10 |
| 13 | +*(Aug, 02 2024 - Aug 08, 2024)* |
| 14 | + |
| 15 | +## Meeting 1 |
| 16 | +*(Aug 07, 2024)* |
| 17 | + |
| 18 | +## Attendees |
| 19 | + |
| 20 | +* [Rajul Jha](https://github.com/rajuljha) |
| 21 | +* [Gaurav](https://github.com/GMishx) |
| 22 | +* Katharina |
| 23 | + |
| 24 | +## Discussions |
| 25 | +* To tackle the issue with the python-packageurl tool not supporting `PyPI` and other registries, [Gaurav](https://github.com/GMishx) suggested to try out new tools like [ORT Downloader](https://oss-review-toolkit.org/ort/docs/tools/downloader), [pypi-simple](https://pypi.org/project/pypi-simple/) and REST API for [warehouse](https://warehouse.pypa.io/api-reference/json.html) |
| 26 | +* Talked about tagging and releasing the [fossology-action](https://github.com/fossology/fossology-action) after renaming it to something like **FOSSOps** |
| 27 | + |
| 28 | +## Work Done |
| 29 | + |
| 30 | +* Completed the Github Action for generating SBOMs for python packages. Their are four ways in which we can create an SBOM: |
| 31 | + * From Python Virtual Environment: `cyclonedx-py environment` |
| 32 | + * From Pipfile and Pipfile.lock: `cyclonedx-py pipenv` |
| 33 | + * From pyproject.toml and poetry.lock: `cyclonedx-py poetry` |
| 34 | + * From requirements.txt file: `cyclonedx-py requirements` |
| 35 | +* Currently the actions looks for these files in the root folder of the repo from where the action is triggered. In future releases, new features like custom path for the file, creating BOMs in xml foramt etc. can be provided. |
| 36 | +* It creates Software Bill of Materials in [cyclonedx](https://cyclonedx.org/specification/overview/) format. |
| 37 | +* BOMs are saves in a directory called `sbom` and for each language, currently python, the bom file is appended with the language specific identifier. |
| 38 | +For example, for python files, the bom file will `sbom_py.json`. |
| 39 | +* After we have the bom file, we can provide a new cli flag to `fossologyscanner` that will take these sbom files, download the project dependecies listed in them, scan them using fossology scanners (nomos, ojo etc) and spit out the results. |
| 40 | +* Started working on the new feature in `fossologyscanner` |
| 41 | + |
| 42 | +## Planning for next week |
| 43 | + |
| 44 | +* Figure out the method for getting the package metadata after trying out different approaches. |
| 45 | +* Work on successfully downloading and scanning the packages once finalized. |
| 46 | +* Keep an eye on making the code modular in order for easy integration of other language specific actions. |
0 commit comments