My Decade Later Contribution to Open Source World
Hello Readers,
I want to share with you my exciting story about my experience of contributing to the Open Source World after a long break. Just like most of you, I have been writing enterprise software throughout my life. I was not really an open-source fan until recently. Now, I am really inspired by the open source community, their passion, and their core values.
Recently, I contributed a cool feature to an open-source tool called "Vet" . Vet is a security tool that automates the manual (slow and clumsy) process of dependency security vetting using custom policies. My feature allows reading a list of dependencies from an Industry Standard SBOM, vet the dependencies, and producing a report.
Here is how you can quickly try it.
Install and Configure Vet
go install github.com/safedep/vet@c55e0a767d3e1858e
vet auth configure --community
vet scan parsers --experimental
Dependency Scan
vet scan --lockfiles /path/to/cyclonedx-sbom.json --lockfile-as bom-cyclonedx
How to generate SBOM?
There are a few options to generate SBOM.
Option 1
Using a open-source tool such as cdxgen
领英推荐
mkdir tmp
cp setup.py tmp
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app/tmp/ -o /app/bom-dpc-int1.json
rm -rf tmp
Option 2
Use GitHub SBOM Feature.
Go to Project -> Insights -> Dependencies -> Export SBOM
How will it help an organization to improve developer productivity?
Imagine this: when a developer picks a "dependency", Vet jumps in and quickly says if it's okay to use. It's like having a super-fast helper that knows the rules of our organization. So, the developer doesn't have to wait and wonder if the chosen dependency is allowed or not. It's like following a recipe and knowing exactly which ingredients are good to use.
Do you want to contribute too?
If I can do it, you can too. Give it a try, and who knows, you might discover a passion for open source just like I did.
If you want to contribute to Vet, here is the PR and Documentation for your reference.
Thanks for now. Stay Tuned.