Clone this repo:
  1. 696f0ec Merge pull request #143 from shs96c/add-purl by aiuto · 3 days ago main
  2. 4f8f5f2 Add `purl` to the `PackageInfo` provider by Simon Mavi Stewart · 6 days ago
  3. bcffeb0 Release 0.0.8 by Yun Peng · 4 months ago 0.0.8
  4. 0c889ef Add support for package_metadata (#139) by Keith Smiley · 4 months ago
  5. 77bf7ab Merge pull request #127 from bazelbuild/topic/mzeren/import_from_tools by aiuto · 7 months ago


CI: Build status

This repository contains a set of rules and tools for

  • declaring metadata about packages, such as
    • the licenses the package is available under
    • the canonical package name and version
    • copyright information
    • ... and more TBD in the future
  • gathering license declarations into artifacts to ship with code
  • applying organization specific compliance constriants against the set of packages used by a target.
  • producing SBOMs for built artifacts.

WARNING: The code here is still in active initial development and will churn a lot.


If you want to follow along:


Last update: October 22, 2023

Q4 2023

  • Reference implementation for “packages used” tool
    • produce JSON output usable for SBOM generation or other compliance reporting.
  • Reference implementation for an SPDX SBOMM generator
    • Support for reading bzlmod lock file
    • Support for reading maven lock file
  • “How To” guides
    • produce a license audit
    • produce an SBOM

Q1 2024

  • Add support for other package manager lock file formats
    • ? Python
    • Golang
    • NodeJS
  • More SPDX SBOM fields
    • support for including vendor SBOMs


  • Performance improvements

  • Sub-SBOMs for tools

  • TBD

Background reading:

These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.