Skip to content
/ scir-oss Public

scir-oss is a tool that integrates public data and information regarding open source software projects and their products into a Project, Product, Protection, and Policy report (OSS-P4/R).

License

View license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cmu-sei/scir-oss

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
docs
docs
 
 
settings
settings
 
 
README.md
README.md
 
 
license.txt
license.txt
 
 
pub-scir.sh
pub-scir.sh
 
 
scir-oss.sh
scir-oss.sh
 
 

Repository files navigation

OSS-P4/R ☡

"Be Aware" of the Project, Product, Protections, and Policy of OSS Components.

The ability to freely inspect the source code of a software product is an important part of determining supply chain risk. But just as important is the ability to inspect the practices and policies a project employs to protect the integrity of that source code.

Overview

OSS-P4/R uses public data sources and Open Source tools to gather data and information correlated to supply chain concerns which consider various aspects of the project and those project's dependencies.

Example

# Obtain supply chain inforrmation about a Open Source project given
# its GitHub name and repository and any Software Bill of Materials
# represented by the project and its dependencies.
scir-oss.sh -C oparest -G go-training/opa-restful -P github:sbom 

# Perform the same analysis with a Software Bill of Materials generated
# in SPDX from a locally scanned folder
scir-oss.sh -C oparest -G go-training/opa-restful -P myOpaRest.spdx.json:sbom 

# After analysis, published the results to an Atlassian Confluence site
pub-scir.sh -C oparest -T "OPA REST-API" -S MySpace -A "OSS-P4/R Reports"

# Or, view the results using a local Markdown viewer
glow oparest/oparest_scir.md

Click here to see the complete OPA REST-API report in Markdown

homepage

For more information, check out the Quickstart Guide.

Installation

See the Installation Instructions.

License

OSS-P4/R is licensed under an MIT-style license, which can be found in the LICENSE file in this repository.

Public Release

Open Source P4 Tool

Copyright 2024 Carnegie Mellon University.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

Licensed under a MIT-style license, please see license.txt or contact [email protected] for full terms.

[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. > Please see Copyright notice for non-US Government use and distribution.

This Software includes and/or makes use of Third-Party Software each subject to its own license.

DM24-0786

Applies to pubRel 240719a (branch: publicRelease) versions or later.

About

scir-oss is a tool that integrates public data and information regarding open source software projects and their products into a Project, Product, Protection, and Policy report (OSS-P4/R).

Resources

Readme

License

View license
Activity
Custom properties

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages