Re: [meta-spdxscanner] Question about meta-spdxscanner


Marco Cavallini
 

On 13/07/21 10:57, leimaohui@fujitsu.com wrote:
Hi Marco

I see that meta-spdxscanner has been moved to http://git.yoctoproject.org,
and doesn't maintained on github
Yes, you can contact me or contribute to meta-spdxscanner to this ML.

I'd like to have advice from you to understand if is it possible to test it without
any external service and discover what kind of artefacts are generated into
deploy/spdx.
I have not maintained scancode-tk for long time. And recently there are somebody else asked me about scancode-tk.
Yes, I planned to make scancode-tk.bbclass work without external service. But there are always issues because environment.
The problem of scancode-tk.bbclass that scancode must work with specify a version of python(latest requires 3.6), but you know that for YP or your host, it is hard to meet the requirement.
I found the newest version of scancode-tk support running in docker. So I plan to make scancode-tk.bbclass work with scancode command by docker next.
Of course, if you have good ideas, please tell me, or contribute to meta-spdxscanner directlly.
By the way, why not try fossology? It is really good that you can browse the compliance information on fossology server after you get spdx files by bitbake of YP.
Best regards
Lei

Hi Lei,
thank you for answering.

Considering the problems I encounter with scancode-tk and that the artifacts it produces are simple text files that need further analysis, I was just deciding to migrate to Fossology with "fossology-rest".
The only drawback is having to install the server, but I don't think it will be a problem.

Thanks again, I will contact you again if you have any problems with this mode.

Best,
--
Marco Cavallini | KOAN sas
Bergamo - Italia
embedded software engineering
https://KoanSoftware.com

Join yocto@lists.yoctoproject.org to automatically receive all group messages.