Tool name: Aliens4Friends (Oniro Compliance Toolchain)

[alpianon]

homepage_url

https://projects.eclipse.org/projects/oniro.oniro-compliancetoolchain

contact_email

[email protected]

code_view_url

https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain

spdx_license_expression

Apache-2.0

description

A comprehensive IP compliance toolchain for embedded operating system platforms, based on existing OSS tools (such as ScanCode and Fossology). It currently supports Yocto-based platforms; OpenHarmony and Android support is currently being added.

Key design features:

• reuse of existing license and copyright metadata from reliable sources (Debian distribution)
• efficient management of incremental human audit work, in parallel with the development process, allowing early detection of issues
• dedicated dashboard to monitor the audit work progress and analyze the results
• management of SCA for complex build matrices (multiple targets and variants)

primary_languages

Python

short_term_roadmap

• 2024 Q1:
  • support for the OpenHarmony build system
  • export of curated findings from Fossology to OpenHarmony's internal compliance tool (OAT)
• 2024 Q2:
  • support for AOSP build system

long_term_roadmap

• generalization / abstraction of the data model, to better cover different build systems
• integration with ORT and its data model
• refactoring of support for Yocto-based projects

proprietary_data

• Yes, the tool depends on proprietary data sources

commercial_features

• Yes, the tool has a commercial version with different/additional features

capabilities

• Identifiers - Use Package-URL (PURL) identifiers
• Identifiers - Use SPDX license expressions
• Scanning - Analyze package manifests and lockfiles
• Scanning - Analyze package files
• Scanning - Scan for copyright
• Scanning - Scan for license
• Scanning - Analyze source code
• Scanning - Analyze containers
• Scanning - Analyze installed system packages (linux distros)
• Scanning - Analyze installed application packages
• Scanning - Other analysis
• Packages - Inventory packages
• Packages - Inventory packages dependencies
• Packages - Resolve dependencies
• Packages - Navigate or display dependency graph
• Compliance - Generate CycloneDX SBOMs
• Compliance - Generate SPDX SBOMs
• Compliance - Validate CycloneDX SBOM
• Compliance - Validate SPDX SBOMs
• Compliance - Generate CycloneDX VEX
• Compliance - Generate CSAF VEX
• Compliance - Generate OpenVex
• Compliance - Generate other compliance documents
• Policies - Define and check license policies
• Policies - Define and check security policies
• Policies - Define and check other policies
• Data - Database of Package metadata
• Data - Database of Package dependency relationships
• Data - Database of License obligations
• Data - Database of Licenses
• Data - Database of Vulnerabilities
• License - Help triage license issues
• License - Generate license credit and attribution notices
• License - Generate source code redistribution lists
• Vulnerabilities - Detect vulnerable code in packages
• Vulnerabilities - Find known vulnerabilities for package
• Vulnerabilities - Determine reachable vulnerabilities
• Vulnerabilities - Help triage vulnerabilities
• Binaries - Analyze binaries
• Binaries - Analyze ELF binaries
• Binaries - Analyze Windows binaries
• Binaries - Analyze firmware binaries
• Binaries - Analyze Other binaries
• Matching - Match source code
• Matching - Match binary code
• Tracing - Trace code execution
• Tracing - Trace build
• Code Security - Analyze code statically (SAST/linting)
• Code Security - Analyze code dynamically (DAST)
• Download - Source package
• Download - Source repositories
• Download - Binary package
• Deployment - Deployable as containers (Docker/OCI/k8s/etc)
• Deployment - Deployable in CI/CD pipelines
• Deployment - Deployable as a library
• Run - Run as a command line tool
• Run - Run as a web application
• Run - Run as an API service

other_capabilities

No response