Clone this repo:
  1. 66ca42a Merge pull request #162 from adam-azarchs/azarchs/no-license-file by tonyaiuto · 5 weeks ago main
  2. 8144e77 Merge pull request #161 from cgrindel/gh0055_missing_target_under_license by tonyaiuto · 5 weeks ago
  3. a0bc8e7 Merge pull request #156 from aiuto/noconf by aiuto · 3 months ago
  4. 10314dc fix: allow license_text=None in license declaration by Adam Azarchs · 4 months ago
  5. 773826c test: add a test case for no license file by Adam Azarchs · 4 months ago

rules_license

CI: Build status

This repository contains a set of rules and tools for

  • declaring metadata about packages, such as
    • the licenses the package is available under
    • the canonical package name and version
    • copyright information
    • ... and more TBD in the future
  • gathering license declarations into artifacts to ship with code
  • applying organization specific compliance constriants against the set of packages used by a target.
  • producing SBOMs for built artifacts.

WARNING: The code here is still in active initial development and will churn a lot.

Contact

If you want to follow along:

Roadmap

Last update: October 22, 2023

Q4 2023

  • Reference implementation for “packages used” tool
    • produce JSON output usable for SBOM generation or other compliance reporting.
  • Reference implementation for an SPDX SBOMM generator
    • Support for reading bzlmod lock file
    • Support for reading maven lock file
  • “How To” guides
    • produce a license audit
    • produce an SBOM

Q1 2024

  • Add support for other package manager lock file formats
    • ? Python
    • Golang
    • NodeJS
  • More SPDX SBOM fields
    • support for including vendor SBOMs

Beyond

  • Performance improvements

  • Sub-SBOMs for tools

  • TBD

Background reading:

These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.