Re: LFN TAC Meeting Minutes, Feb. 10, 2021
Krzysztof Opasiak <k.opasiak@...>
Hi,toggle quoted message Show quoted text
That's true. Main issue with using only NexusIQ is that it performs the
scan based on pom.xml so we can catch vulnerabilities that exist in the
final "java bundle" but that's not enough.
ONAP is delivering to the community not only Java bundles but full
docker images that contains this bundle and dozen of other system tools
for example tomcat server.
That's why we are looking at tools like tern and scancode which can
analyze not only java project but a full docker image that we are
shipping. Based on this scan a full SBOM is generated and it can be used
for both license and vulnerability analysis.
On 12.02.2021 20:15, Ranny Haiby wrote:
Samsung R&D Institute Poland