tern
scancode-toolkit
Our great sponsors
tern | scancode-toolkit | |
---|---|---|
1 | 4 | |
932 | 1,972 | |
0.5% | 2.6% | |
3.2 | 9.6 | |
about 2 months ago | 10 days ago | |
Python | Python | |
BSD 2-clause "Simplified" License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
tern
-
Learn by reading code: Python standard library design decisions explained
A project you may want to look into adding is Tern [0]. I've had a good time reading through the code over the past couple of weeks, and have found it to be at least not "bad" code, and pretty easy to understand.
Specifically how they are untarring each container layer and creating a chroot jail to run commands inside is fairly self-contained and interesting.
[0] https://github.com/tern-tools/tern
scancode-toolkit
- ScanCode: Scan license and packages, dependencies and origin information
-
User beware: Modified AGPLv3 removes freedoms, adds legal headaches
Hey, pabs3! Actually this is not using a rolling checksum for detection but rather a combo of language model, checksums, automatons, bitvectors, inverted indexes and multiple sequences alignment (e.g. a specialized diff). I put some docs there to explain the approach at ahttps://github.com/nexB/scancode-toolkit/blob/develop/src/li...
-
I've just started using python at work, is there anything I need to be careful about?
If you're concerned about licensing in your dependencies, use a license scanner like scancode toolkit. Similar scanners are available in products like JFrog Artifactory or GitLab (paid versions)
What are some alternatives?
cdxgen - Creates CycloneDX Software Bill of Materials (SBOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
awesome-security-GRC - Curated list of resources for security Governance, Risk Management, Compliance and Audit professionals and enthusiasts (if they exist).
ort - A suite of tools to automate software compliance checks.
cyclonedx-gradle-plugin - Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
spdx-spec - The SPDX specification in MarkDown and HTML formats.
fossology - FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.
spdx-license-matcher - A tool to match license text with SPDX license list using a an algorithm with finds close matches. It follows SPDX Matching guidelines to keep the substantial text as well as ignore the replaceable text for matching purposes.
Neo4j - Graphs for Everyone
goodcode - A curated collection of annotated code examples from prominent open-source projects