OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

op-advisory-council message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Open Source Package Monitoring recommendations?

I am on the advisory board for FOSSA, so consider the source, but it would be my tool of choice.


BD and Flexera do deeper dives on license compliance (i..e the will find more cut-and-paste issues), but they lack the front end process management of FOSSA and are cumbersome to use. The FOSSA UI is very good.

From: op-advisory-council@lists.oasis-open.org <op-advisory-council@lists.oasis-open.org> on behalf of Ruff, Nithya <NITHYA_RUFF@comcast.com>
Sent: Wednesday, September 11, 2019 10:36:50 AM
To: Kris Borchers; op-advisory-council@lists.oasis-open.org; Jory Burson
Subject: Re: Open Source Package Monitoring recommendations?
 

[EXTERNAL MESSAGE]

Agree with Kris. We have had good experience with Fossa and after studying multiple solutions we are choosing to use Fossa for our customer facing mobile apps.

 

Thank You,

Nithya

 

Nithya A. Ruff

Head, Comcast Open Source Program Office

1050 Enterprise Way, Sunnyvale, CA 94089

Mobile: 267-254-1083. Email: Nithya_ruff@comcast.com

 

 signature_824900324

 

 

From: <op-advisory-council@lists.oasis-open.org> on behalf of Kris Borchers <kris.borchers@gmail.com>
Date: Wednesday, September 11, 2019 at 1:28 PM
To: "op-advisory-council@lists.oasis-open.org" <op-advisory-council@lists.oasis-open.org>, Jory Burson <jory.burson@oasis-open.org>
Subject: Re: Open Source Package Monitoring recommendations?

 

From a license compliance monitoring perspective, I have had a good experience with FOSSA https://fossa.io and they have been adding vulnerability detection as well. You can get started for free to check it out and they have been providing free services to a number of the OpenJSF projects for a long time. I'd be happy to introduce you to their CEO, Kevin Wang if you don't already know him.

Kris

From: op-advisory-council@lists.oasis-open.org <op-advisory-council@lists.oasis-open.org> on behalf of Jory Burson <jory.burson@oasis-open.org>
Sent: Wednesday, September 11, 2019 9:30:11 AM
To: op-advisory-council@lists.oasis-open.org <op-advisory-council@lists.oasis-open.org>
Subject: Open Source Package Monitoring recommendations?

 

Hi AC members, and happy Wednesday.

 

Do you have any recommendations or experience implementing Open Source package monitoring / security auditing tools? We'd like to have a few  different recommendations for Open Projects, and decided that some kind of thorough comparison between them would make good content for our blog and documentation, too. I've talked with the folks at Snyk - which, fun fact, stands for "So Now You Know" - as they certainly seem to have quite a bit of adoption. Are there any others you would encourage us to look into/include?

 

I'll be away next week for W3C TPAC, but thinking of you all at OpenCore summit (which I'm really bummed to be missing). Be well, and see you at our next meeting on 23 September!

 

- Jory

 

  

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]