I am working with some external developers and I get that they have not been working with medical device products before, and are now having to adapt to some products being classified as such and a complete overhaul of processes and documentation
however, I am not a (real) developer, so my understanding of the realities of dependencies is very high level and abstract.
I have asked for a complete list of third party components (SOUP) for a specific version of a product that includes a lot of these components, and it seems like they are spread over tens of different repos. I think they are the .NET team (different products have different codebase, it seems like the medical devices are either .NET or java)
In my naive not very knowledgeable world as regulatory consultant I wondered why getting this list was so difficult and dont they have either
a) some kind of artefact from their build process like a post build step which would generate a complete dependencies list, I mean the information about what goes into a final build must be there right
or
b) which I see fairly commonly, using CycloneDX or similar to generate SBOMS automatically (which I thought you just set up to link to repos or is there some kind of index file in a repo that it uses, I don't know)
Or
c) some way of pulling a tagged version of a product and somehow using a tool or process to extract the dependencies,
but I don't know enough about development to understand the actual practical process involved in these steps and so its hard for me to know how best to respond to a developer saying the product includes code from dozens of repos and they dont have an automatic process to get the list of dependencies to a sufficient detail level....
naively (again) I guess I just expect as a standard praxis that developing products pulling code from a lot of places would always include systems to manage what goes into the build queue with tight configuration control and versioning, but I don't know if I am just misunderstanding the real world issue
anyone who can help with some context and tips?
however, I am not a (real) developer, so my understanding of the realities of dependencies is very high level and abstract.
I have asked for a complete list of third party components (SOUP) for a specific version of a product that includes a lot of these components, and it seems like they are spread over tens of different repos. I think they are the .NET team (different products have different codebase, it seems like the medical devices are either .NET or java)
In my naive not very knowledgeable world as regulatory consultant I wondered why getting this list was so difficult and dont they have either
a) some kind of artefact from their build process like a post build step which would generate a complete dependencies list, I mean the information about what goes into a final build must be there right
or
b) which I see fairly commonly, using CycloneDX or similar to generate SBOMS automatically (which I thought you just set up to link to repos or is there some kind of index file in a repo that it uses, I don't know)
Or
c) some way of pulling a tagged version of a product and somehow using a tool or process to extract the dependencies,
but I don't know enough about development to understand the actual practical process involved in these steps and so its hard for me to know how best to respond to a developer saying the product includes code from dozens of repos and they dont have an automatic process to get the list of dependencies to a sufficient detail level....
naively (again) I guess I just expect as a standard praxis that developing products pulling code from a lot of places would always include systems to manage what goes into the build queue with tight configuration control and versioning, but I don't know if I am just misunderstanding the real world issue
anyone who can help with some context and tips?
