Dear All,
I am having a hard using Fossology to fulfil my needs efficiently.
I would like to share one of the core aspect I am struggling with, and would love to see if some of you are facing the same problems.
My goal is to scan complete products source code, and ultimately produce a report listing all embedded components (libraries, dependencies, etc.), their licenses as well as copyright notices.
Today, I generate SPDX-TV reports with Fossolgy, convert them to XLS format using the SPDX Tools [1], and manually reorganise the file to create a list of components.
I didn't find within Fossology a way to indicate that, for example, a given directory/file contains the library X, licensed under Y, and copyrighted to Z, and generate the corresponding SPDX report.
Beside, the SPDX specifications seem to allow Packages and Sub-Packages identification [2] that seems to be what I'm looking for.
So my questions are:
- Do you share the need of identifying components / sub-packages within a scanned project ?
- If so, is there a way to achieve this with Fossology, and producing SPDX reports ?
- Can the SPDX [Sub-]Package be used to identify components and their license ?
- ... or is my compliance process totally wrong (should I identify and scan all components separately) ?
Nicolas
--
Nicolas Toussaint
OAB - Orange Applications for Business - Lyon
Tel: +33 608 763 559
