Open source licenses
- Used to be really a mess to do this. Spreadsheet based approaches.
- I wrote an internal tool at New Relic for this. Have seen a few commercial offerings.
- A former coworker of mine said: “It’s a lot easier than it used to be, now that most package management ecosystems have adopted SPDX declarations in some form or another. Generally, I see GH actions being used to generate SBOM, and SPDX gathering / verification being a step in that process.”