Project Barista is a developer focused, cloud native, pure open source solution for open source license and vulnerability management.
Project goals include but are not limited to:
- maintain a license inventory system of record per project/service/product for OSS consumption within an organization
- automate license impact analysis related to OSS consumption
- automate publisher attribution analysis related to OSS consumption
- automate OSS vulnerability scanning
Barista allows a developer to set up their project for scanning from any Git compatible repo. Once a scan is initiated, the project is processed as follows:
-
The repo is cloned into a temporary directory. All contents will be destroyed once processing is finished.
-
License scanning is initiated. Barista currently supports the following technology stacks:
- Java using the Maven package manager
- .Net using the NuGet package manager
- Node using the NPM package manager
- Python using the PIP package manager
- Support for additional package managers are on the roadmap as the community evolves e.g. Gradle, Go
-
Each technology stack uses native tools to gather project dependencies with as much meta data as can be harvested e.g. license, publisher information and or the project's published URL
-
Unsupported technology stacks can be scanned using the nexB/scancode-tool but results are not as comprehensive and performance is degraded.
-
All project and dependency code is then run through the OWASP Dependency Check tool to gather published vulnerability information.
-
Both license and vulnerability findings are then run through a set of user defined business rules which allow categorization of findings into 1 of 3 categories:
Approved
Warning
Disapproved
Start with our developer documentation.
Please see our original project team.
