Clone this repo:
  1. a0bc8e7 Merge pull request #156 from aiuto/noconf by aiuto · 4 weeks ago main
  2. 9308dd1 Update comments about cfg=exec on license() by Tony Aiuto · 2 months ago
  3. 5b980ea Merge pull request #147 from fmeum/current-module-package-info by aiuto · 2 months ago
  4. f5b5dfd Merge branch 'main' into current-module-package-info by Fabian Meumertzheim · 3 months ago
  5. f85e7d6 Merge pull request #135 from aiuto/upd by aiuto · 3 months ago 1.0.0

rules_license

CI: Build status

This repository contains a set of rules and tools for

  • declaring metadata about packages, such as
    • the licenses the package is available under
    • the canonical package name and version
    • copyright information
    • ... and more TBD in the future
  • gathering license declarations into artifacts to ship with code
  • applying organization specific compliance constriants against the set of packages used by a target.
  • producing SBOMs for built artifacts.

WARNING: The code here is still in active initial development and will churn a lot.

Contact

If you want to follow along:

Roadmap

Last update: October 22, 2023

Q4 2023

  • Reference implementation for “packages used” tool
    • produce JSON output usable for SBOM generation or other compliance reporting.
  • Reference implementation for an SPDX SBOMM generator
    • Support for reading bzlmod lock file
    • Support for reading maven lock file
  • “How To” guides
    • produce a license audit
    • produce an SBOM

Q1 2024

  • Add support for other package manager lock file formats
    • ? Python
    • Golang
    • NodeJS
  • More SPDX SBOM fields
    • support for including vendor SBOMs

Beyond

  • Performance improvements

  • Sub-SBOMs for tools

  • TBD

Background reading:

These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.