Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36398

Extend SBOM with 'license' and 'copyright'

Details

    • Task
    • Status: Stalled (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 11.8
    • None
    • None

    Description

      A customer is asking to extend SBOMs beyond their original goal of NTIA and executive order compliance. Apparently, own product and dependencies need to be have license and copyright statement.

      copyright statement can be deduced automatically, so there must be some file that we can hardcode this information in.

      License (as SPDX-id) can in theory be deduced by github APIs

      Here is the rough plan -
      the "machine-readable" file will be yaml-formatted. It consists of a yaml-list. i.e items starting with <dash>-name, every items has a couple of keys, license and maybe "copyright" if known, but also information we hardcoded elsewhere, e.g CPE identifier, or publisher. a cmake parser function will convert the list and they keys into a set of cmake variables, e.g THIRD_PARTY_ZLIB_LICENSE will be taken from 

       -zlib
      		 
          license:GPL2

      Attachments

        Issue Links

          relates to

          PT-438 Failed to load

          Activity

            People

              wlad Vladislav Vaintroub
              wlad Vladislav Vaintroub
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.