英文:
Does Snyk offer management for Open Source License Compliance? If yes, is it possible to generate reports based on the licences being used?
问题
Snyk是否提供开源许可合规性管理?如果是的话,是否可以生成基于所使用许可证的报告?
我想知道Snyk是否能够提供任何管理和报告功能,以检查我的代码中的开源许可证合规性。
英文:
Does Snyk offer management for Open Source License Compliance? If yes, is it possible to generate reports based on the licences being used?
I was wondering if Snyk is able to offer any management and reporting capabilities to check compliance for the open source licenses in my code.
答案1
得分: 4
以下是您要翻译的内容:
首先,Snyk 能够处理许多不同的开源许可证(380+),但 Snyk 不提供关于在生产环境中可以或不能使用的法律建议。
与 Snyk 许可证合规管理相关的官方 Snyk 文档可以在这里阅读。
开源许可合规可以在 Snyk-Group 级别 [策略 >> 许可证策略] 上进行设置,并且在企业计划中启用。
在配置许可策略后,您可以决定要与之一起使用的组织或项目属性(还可以指定多个组织或多个属性)。
还可以修改/更改特定许可证的严重性,或者为开发人员添加新的许可证说明。
您可以在以下位置查看/查找许可问题:
-
在开源清单文件(以及锁定文件)的“问题卡片”上 - 这个问题卡片具有“最小半径”,显示清单文件的许可证:
-
在 Snyk-组织级别:
可以显示并导出给定 Snyk 组织中所有依赖项的所有 OS 许可证和许可问题。您可以选择*[依赖项选项卡 >> 许可证]*:
或在新的报告页面*[报告 >> 添加筛选器:问题类型 >> 许可证]* 上设置。结果可以导出为 CSV 或 PDF 文件。
-
在组级别:这是我们可以查看所有 Snyk 组织的所有许可证问题的方式(与上述 2 类似)
-
使用 Snyk API(使用此端点):在这种情况下,我们会得到一个 .json 输出(如果我们进一步配置筛选器负载,我们可以调整发现列表)。还可以导出使用双重许可证的依赖项。
例如:
-
对于一些公司和开发人员,不仅显示许可证,还显示与许可证文本一起的依赖项也可能很重要。在这种情况下,我们可以调用snyk-licenses-texts 工具来帮助创建此类报告:
-
最后但同样重要的是 - 我们也可以选择在基本上任何类型的流程中使用 Snyk CLI。在这种情况下,我们可以利用snyk-to-html 工具生成 HTML 文件(流程工件)用于我们的开源、容器、IaC 或代码项目。作为开源报告的一部分,我们还可以看到许可问题:
英文:
First and foremost, Snyk is able to handle many various Open Source licences (380+), but Snyk doesn't provide legal advice on which licences can and can't be used in a production environment.
The official Snyk documentation in connection with Snyk License Compliance Management can be read here.
Open Source License Compliance can be set up on the Snyk-Group level [Policies >> License policies], and is enabled on the Enterprise plan.
After configuring a license policy, you can decide which organisations or project attributes you want to use it with (you can also specify either multiple organisations or multiple attributes).
It is also possible to modify/change the severity of a particular license, or add a new license instruction for your Developers.
Where can I see/find the License Issues?
-
On the "Issue Cards" of Open Source Manifest Files (and also Lock-Files) - this one has the "smallest radius", licenses for a manifest file are displayed:
-
On the Snyk-Organisation level:
All OS licenses and license issues from all your dependencies in a given Snyk organisation can be displayed and exported into a CSV-file. You can either choose the [Dependencies Tab >> Licenses]:
Or set the following on the new reporting page [Reports >> Add filter: Issue Type >> License]. The results can be exported into a CSV or PDF-file.
-
At the group level: This is how we can all view all License Issues across all Snyk Organisations (It works similar to 2 above)
-
With the Snyk API (using this endpoint): in this case we get a .json output (if we further configure the filters payload, we can adjust the list of findings). Also dependencies using dual-licenses can be exported.
e.g.:
-
For several companies and Developers may also be relevant to display not only the licenses, but also the dependencies together with the license texts. In this case we can call the snyk-licenses-texts tool for help and create such reports:
-
Last but not least - we also have the option to use the Snyk CLI in basically any kind of pipelines. In this scenario we can leverage the snyk-to-html tool and generate html-files (pipeline artefacts) for our Open Source, Container, IaC or Code projects. As part of the Open Source report, we can also see license issues:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论