Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Omkar Phansopkar
@OmkarPh
Scancode workbench builds
You can find sample json files here: https://github.com/OmkarPh/scancode-workbench/tree/v4.0-react-typescript/samples
Omkar Phansopkar
@OmkarPh
nexB/scancode-toolkit#3061
Scancode toolkit setup error on macos m1 chip nexB/scancode-toolkit#3061
Jono Yang
@JonoYang

@OmkarPh

My screenshot is a panel from the soos.io webapp. soos.io determines whether or not a project has a vulnerabilty by checking the packages and dependencies listed in a project's manifest file. In my screenshot, on the left side, there is a nested list of packages from a manifest, and under each package are the dependencies for that package.
On the right side, is the vulnerability details for the package. In our case, I think showing the package or dependency information in detail would be alright.

image.png
Omkar Phansopkar
@OmkarPh
this looks great
Akhil Raj
@lf32
GSoC update: Highlight license matches
Philippe Ombredanne
@pombredanne
@lf32 thanks!
@lf32 when is a good time to have a live session together?
Akhil Raj
@lf32
Aboutcode timings would be ok @pombredanne
Ayan Sinha Mahapatra
@AyanSinhaMahapatra
^ Usually that time is much busier as we have other calls. Earlier in the day works better for phillipe @lf32
Ayan Sinha Mahapatra
@AyanSinhaMahapatra
@pombredanne opening this page: https://github.com/nexB/aboutcode/wiki/MeetingMinutes now shows The wiki page took too long to render. Please edit this wiki page’s content so it renders faster. sometimes. Should we make this a year-wise page instead?
1 reply
Ayan Sinha Mahapatra
@AyanSinhaMahapatra
Hey @lf32 , forget about also adding the link to .yml files (for .RULE/.LICENSE) files in the details page. Just have one link to the .RULE/.LICENSE file instead. This is because we are thinking of merging the .RULE and .yml files into one .RULE YAML fornt-matter file instead as a part of nexB/scancode-toolkit#3049
Akhil Raj
@lf32
Hey, so if you are free for now can we have a meet?
Philippe Ombredanne
@pombredanne
@lf32 I could not reproduce you ScanCode TK Apple M1 installation issue. Can you try again and if this happens again, please create an issue
@lf32 me , not now, but tomorrow morning CEST could work
Akhil Raj
@lf32
Hey @pombredanne, which SCTK Apple M1 installation?
Philippe Ombredanne
@pombredanne
@lf32 you reported an issue Monday? ... or may be that was @OmkarPh ? :]
Ayan Sinha Mahapatra
@AyanSinhaMahapatra
That was reported by @OmkarPh , yes.
Philippe Ombredanne
@pombredanne
ah :)
Omkar Phansopkar
@OmkarPh

That was reported by @OmkarPh , yes.

yeah it was me ;)

@lf32 I could not reproduce you ScanCode TK Apple M1 installation issue. Can you try again and if this happens again, please create an issue

I've already tried doing unzip tar -> ./scancode --help thrice :/
nexB/scancode-toolkit#3061
is there someone else who has m1 mac

Jay Kumar
@35C4n0r
Greetings Everyone,
My name is Jay. I am a 2nd year undergrad. I am experienced with Python, Full Stack MERN development, C++ and a little bit in Flutter. I have been doing Python for almost 3 years now and I am very excited to do open Source Contribution. This would be my first time contributing in this repo, i would love it if someone could help me to get started. Thank you.
Kevin Ji
@KevinJi22
@pombredanne I've addressed almost all your comments on my PR except for two. For this comment, what do you mean by "adding a new extension point"? I was thinking of adding a new class called AdditionalLicenseLocationProvider or something and having the path providers for additional licenses subclass that. What are your thoughts?
It seems like I'll have to modify the PluginCode repository for this.
2 replies
@pombredanne also, for this, I don't think there's a way to identify if a license matches an external license vs. a license already in the licenseDB, right? So I'm not sure how we can set these fields to empty for additional licenses
1 reply
Omkar Phansopkar
@OmkarPh
gsoc update - Created packages > dependencies page (Top level packages overview)
ziad hany
@ziadhany
GSoC update: Add support for rust ranges
Philippe Ombredanne
@pombredanne
@/all weekly meeting call started
@KevinJi22 hey :)
Philippe Ombredanne
@pombredanne
Sorry for changing my mind on the option name :]
Akhil Raj
@lf32
GSoC update: improve layout for license details
Keshav Priyadarshi
@keshav-space
GSoC Update: Streamline VulnTotal CLI, support JSON and YAML output, add support for grouping Vulnerability by CVE
Ayan Sinha Mahapatra
@AyanSinhaMahapatra
@keshav-space just curious, can we try this CLI out from https://github.com/nexB/vulnerablecode/tree/vulntotal? Or is it still in PRs?
4 replies
Akhil Raj
@lf32
Andrea Spacca
@aspacca
@pombredanne >@aspacca --license-score is not the best way to filter licenses IMHO. Instead you may want to check the primary license returned in the new --summary feature (in v31+)
testing with new --summary feature: it seems to be a summary for the root, not faceted by package
4 replies
Akhil Raj
@lf32
@pombredanne
Andrea Spacca
@aspacca
I'm using packages.[].license_expression
sometimes the same license is reported twice in the expression: ie "mit AND mit"
4 replies
a minor thing about licenses_reference[].text_urls and text licenses_reference[].text
the second is not always the real content of the first
for MIT license for example: http://opensource.org/licenses/mit-license.php, here the content includes "Copyright <YEAR> <COPYRIGHT HOLDER>" (it's obvious the placeholders cannot be filled, and stripping the line is probably the proper thing to do)
3 replies
Andrea Spacca
@aspacca
last thing about https://github.com/nexB/pip-requirements-parser: not existing dependecies (I have a specific test case with "i_dont_exists" in requirements.txt) are not identified
pip raise an exception, pip-requirements-parser add them to the list of packages
for this reason I'm still using pip, just using the new --report argument
I will look into opening a PR for pip-requirements-parser to fix this
what do you think the proper behaviour should be in this case? discard the dependency? raise an exception? log a warning?
Philippe Ombredanne
@pombredanne

@aspacca re: pip requirements parser... it does parse the same way that pip parses. But it does NOT lookup in remote PyPI repos .
See https://github.com/nexB/python-inspector for this IMHO
parser-wise there is nothing to do there as we cannot know if a requirement exists or not.

The inspector does reuse pip-requirements-parser and resolve deps and interacts with PyPI repos alright and this would be the place IMHO.
I created nexB/python-inspector#64 ...

16 replies