commit	bcffeb0c481d178cbee69bdc7e23ef22d3a087b1	[log] [tgz]
author	Yun Peng <pcloudy@google.com>	Wed Jan 24 11:35:44 2024 +0100
committer	Yun Peng <pcloudy@google.com>	Wed Jan 24 11:35:44 2024 +0100
tree	24c886d27c52c5b3ab55282825fa47572b55e9bb
parent	0c889ef1760df8a0d10492b8551488f86da63899 [diff]

tree: 24c886d27c52c5b3ab55282825fa47572b55e9bb

README.md

rules_license

CI:

This repository contains a set of rules and tools for

declaring metadata about packages, such as
- the licenses the package is available under
- the canonical package name and version
- copyright information
- ... and more TBD in the future
gathering license declarations into artifacts to ship with code
applying organization specific compliance constriants against the set of packages used by a target.
producing SBOMs for built artifacts.

WARNING: The code here is still in active initial development and will churn a lot.

Contact

If you want to follow along:

Mailing list: bazel-ssc@bazel.build
Monthly eng meeting: calendar link
Latest docs

Roadmap

Last update: October 22, 2023

Q4 2023

Reference implementation for “packages used” tool
- produce JSON output usable for SBOM generation or other compliance reporting.
Reference implementation for an SPDX SBOMM generator
- Support for reading bzlmod lock file
- Support for reading maven lock file
“How To” guides
- produce a license audit
- produce an SBOM

Q1 2024

Add support for other package manager lock file formats
- ? Python
- Golang
- NodeJS
More SPDX SBOM fields
- support for including vendor SBOMs

Beyond

Performance improvements
Sub-SBOMs for tools
TBD

Background reading:

These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.