This repository contains a set of rules and tools for
- declaring metadata about packages, such as
- the licenses the package is available under
- the canonical package name and version
- copyright information
- ... and more TBD in the future
- gathering license declarations into artifacts to ship with code
- applying organization specific compliance constriants against the set of packages used by a target.
- producing SBOMs for built artifacts.
WARNING: The code here is still in active initial development and will churn a lot.
Contact
If you want to follow along:
Roadmap
Last update: October 22, 2023
Q4 2023
- Reference implementation for “packages used” tool
- produce JSON output usable for SBOM generation or other compliance reporting.
- Reference implementation for an SPDX SBOMM generator
- Support for reading bzlmod lock file
- Support for reading maven lock file
- “How To” guides
- produce a license audit
- produce an SBOM
Q1 2024
- Add support for other package manager lock file formats
- More SPDX SBOM fields
- support for including vendor SBOMs
Beyond
Performance improvements
Sub-SBOMs for tools
TBD
Background reading:
These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.