I would like to generate report via the command line, is this possible in current FNCI v7 release?  Related question - Is it possible to run any of the custom reports without installing on core server? ... View more

What are the plans to support Dockerfile scanning in FNCI v6 From initial tests scanning docker containers (using 6.x, on docker layer tarfiles), the scan results are incomplete.  e.g. No inventory for baseOS layer (centos/rpm-based, no matches on libs/executables), and partial for other layers.  Having inventory for the BaseOS layer is important because with container distribution model, the user-space OS components are now being distributed which has copyleft compliance implications (many user-space Linux components are under a copyleft license). Scanning the Dockerfile would provide details of OSS dependencies at the source level,  without requiring full image build/scan. I have not tried using the v7 container plugin yet, so don't know if users are getting better results with the v7. ... View more

Are there any plans to support ability to specify range of versions in request policies? The ability to set a request policy  based on a range of versions.e.g. using wildcards or regex would significantly reduce review overhead and improve compliance. Use case:  Users submit requests for all component updates. The ability to policy approve requests that are minor version updates , e.g. 1.1 -> 1.2 , that are submitted to address vulnerabilities would significantly improve efficiency and reduce workload for submitters and approvers. It is extremely rare to have license changes in  bug fix patches, so this would be safer than using "any version" +  license. Defining a Policy using "any version" + license is not a safe solution,  since licenses can change between major releases (from permissive to copyleft or non-OSI type license), and component definitions in PDL often club all licenses together at a component level (versus version level).  This allows requester to select any license from the list of licenses for that component, even if NOT correct for the specified version.  If policy-approval in effect then the wrong license could be selected and auto approved.  It is critical to NOT policy-approve a component where a license has changed from permissive to copyleft, AGPL or SSPL type of license. ... View more

FNCI 6.x -- attachments to requests are kept under  {install-dir}/config/core/attachments/{mmddyyyy}_ {nnnnnnnnn}_{username}_{attachment filename} I am not sure what the {nnnnnnnnn} number is -- I assume it is a timestamp? Is there a way to determine from this filename what request the file is attached to? It would very useful if an attachment name could be mapped back to the request to which it is attached. thanks,   Michelle ... View more