project barista - open source license and vulnerability management
Project Barista is a developer focused, cloud native, pure open source solution for open source license and vulnerability management.
Project goals include but are not limited to:
Barista allows a developer to set up their project for scanning from any Git compatible repo. Once a scan is initiated, the project is processed as follows:
The repo is cloned into a temporary directory. All contents will be destroyed once processing is finished.
License scanning is initiated. Barista currently supports the following technology stacks:
Each technology stack uses native tools to gather project dependencies with as much meta data as can be harvested e.g. license, publisher information and or the project's published URL
Unsupported technology stacks can be scanned using the nexB/scancode-tool but results are not as comprehensive and performance is degraded.
All project and dependency code is then run through the OWASP Dependency Check tool to gather published vulnerability information.
Both license and vulnerability findings are then run through a set of user defined business rules which allow categorization of findings into 1 of 3 categories:
Start with our developer documentation.
Please see our original project team.