Software Composition Analysis Tools SIG

Wed, 20 Aug 2025 17:25:43 -0700 

Hi everyone,
As part of my work on the new Go vendoring Change, I have delved head first into the world of software composition analysis (SCA) tools and license scanners. In Fedora, we currently have scancode-toolkit, trivy, and askalono (only a simple license scanner) packaged. I maintain trivy (along with the Go SIG and @mikelo2) and have also been de-facto maintaining scancode-toolkit via my python-packagers-sig membership since the maintainer has been unresponsive. Fabio and the Rust SIG maintains askalono. Once the non-responsive process in [1] goes through (it currently seems stuck on Pagure API instability), scancode-toolkit and its stack of dependencies are set to be orphaned. Thank you to Robert-Andre for all his work on getting scancode into Fedora. 


I would like to propose starting a lightweight Software Composition 
Analysis Tools SIG (sca-tools-sig) to co-maintain scancode-toolkit and 
trivy and other SCA tools and the libraries that they rely on (e.g., 
python-license-expression). If other folks are interested in doing other 
work to promote usage of SCA tools in Fedora and improve license and 
vulnerability scanning tooling used by package maintainers, I think that 
could also be in scope. I think Go Vendor Tools is an interesting case 
study in this, as it runs a basic license scan and checks the value of 
License: tag as part of the package build process and has knobs to 
control its behavior without disabling the checks — among other features.



Reply to this email if you are interested in joining or have any 
feedback or suggestions! I think we can start out by setting up a FAS 
group, Matrix room, and the mandatory private mailing list for packaging 
SIG Bugzilla bugs. I think membership would have to be conditioned on 
membership in the packager group since this SIG would be used as a 
distgit group as well, but that's open to discussion.


Best,
Maxwell

[1] https://pagure.io/fesco/issue/3454
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue














    











					Reply via email to