op-advisory-council message

Subject: Re: Open Source Package Monitoring recommendations?

From: Kris Borchers <kris.borchers@gmail.com>
To: "op-advisory-council@lists.oasis-open.org" <op-advisory-council@lists.oasis-open.org>, Jory Burson <jory.burson@oasis-open.org>
Date: Wed, 11 Sep 2019 17:28:32 +0000

From a license compliance monitoring perspective, I have had a good experience with FOSSA https://fossa.io and they have been adding vulnerability detection as well. You can get started for free to check it out and they have been providing free services to a number of the OpenJSF projects for a long time. I'd be happy to introduce you to their CEO, Kevin Wang if you don't already know him.

Kris

From: op-advisory-council@lists.oasis-open.org <op-advisory-council@lists.oasis-open.org> on behalf of Jory Burson <jory.burson@oasis-open.org>
Sent: Wednesday, September 11, 2019 9:30:11 AM
To: op-advisory-council@lists.oasis-open.org <op-advisory-council@lists.oasis-open.org>
Subject: Open Source Package Monitoring recommendations?

Hi AC members, and happy Wednesday.

Do you have any recommendations or experience implementing Open Source package monitoring / security auditing tools? We'd like to have a few different recommendations for Open Projects, and decided that some kind of thorough comparison between them would make good content for our blog and documentation, too. I've talked with the folks at Snyk - which, fun fact, stands for "So Now You Know" - as they certainly seem to have quite a bit of adoption. Are there any others you would encourage us to look into/include?

I'll be away next week for W3C TPAC, but thinking of you all at OpenCore summit (which I'm really bummed to be missing). Be well, and see you at our next meeting on 23 September!

- Jory

Follow-Ups:
- Re: Open Source Package Monitoring recommendations?
  - From: "Ruff, Nithya" <NITHYA_RUFF@comcast.com>

References:
- Open Source Package Monitoring recommendations?
  - From: Jory Burson <jory.burson@oasis-open.org>