sca

Find out how https://opendev.org/assets/js/licenses.txt was generated and if there is a format that's used commonly enough that we could treat this as a package-like data. Find a list of projects that may use this (openstack may be?)

The current swagger definition is autogenerated. The automatically generated definitions rely on reflection and annotations to create the documentation. The reflection capabilities are poor at best and lead to missing API parameters. Annotations can help in some cases, but the only fix for Swagger is to create individual POJOs for every possible request. This will lead to unnecessary large number

有个小小的建议，希望增加一个参数，能直接在本地输出扫描项目全量的SBOM。感谢

Currently, NVD_START_YEAR is configurable with a default value of 2018. The tool should recommend a start year based on the oldest CVE found. If a CVE belonging to the year 2018 is found then the scan should recommend a re-scan with start year of 2017 (Previous year)

This can be implemented in the analysis module.

In my ubuntu 20.04.2.0, i have python 2.7.18 and pip3 20.0.2.
I was trying to install prancer-basic via pip3 install prancer-basic
It get installed successfully with below warning:

WARNING: The scripts populate_json, prancer, register_key_in_azure_vault, terraform_to_json and validator are installed in '/home/r4redu/.local/bin' which is not on PATH.
  Consider adding this director

When we display a package manifest or lockfile in the resource details, we should have a way to add a hyperlink to the upstream repository web page for this repo: for instance when we browse a requirements.txt lockfile, if it contains: scancode-toolkit==30.0.1 we should recognize this and link to https://pypi.org/project/scancode-toolkit/30.1.0/

We can parse manifests alright and we can creat