Google Git
Sign in
fuchsia / third_party / github.com / bazelbuild / rules_license / refs/heads/main
commitfcc27a07599af4f9a5d43b71758b6b70a808d86d[log] [tgz]
authortonyaiuto <tony.aiuto@gmail.com>Tue Mar 04 23:48:06 2025 -0500
committerGitHub <noreply@github.com>Tue Mar 04 23:48:06 2025 -0500
tree10300357035bfd3360acb900abfbe627e921064b
parent66ca42a20758514bdadeafd377ee0b8e5c627b6b [diff]
parent3bbc0d5bf31fbf515f3adbcd6205161c03d3a8a5 [diff]
Merge pull request #169 from kczulko/patch-1

fix: README.md typo
tree: 10300357035bfd3360acb900abfbe627e921064b
  1. .bazelci/
  2. .github/
  3. admin/
  4. distro/
  5. doc_build/
  6. docs/
  7. examples/
  8. licenses/
  9. rules/
  10. rules_gathering/
  11. sample_reports/
  12. tests/
  13. tools/
  14. .gitignore
  15. BUILD
  16. CODEOWNERS
  17. deps.bzl
  18. LICENSE
  19. MODULE.bazel
  20. README.md
  21. version.bzl
  22. WORKSPACE
  23. WORKSPACE.bzlmod
README.md

rules_license

CI: Build status

This repository contains a set of rules and tools for

  • declaring metadata about packages, such as
    • the licenses the package is available under
    • the canonical package name and version
    • copyright information
    • ... and more TBD in the future
  • gathering license declarations into artifacts to ship with code
  • applying organization specific compliance constraints against the set of packages used by a target.
  • producing SBOMs for built artifacts.

WARNING: The code here is still in active initial development and will churn a lot.

Contact

If you want to follow along:

Roadmap

Last update: October 22, 2023

Q4 2023

  • Reference implementation for “packages used” tool
    • produce JSON output usable for SBOM generation or other compliance reporting.
  • Reference implementation for an SPDX SBOMM generator
    • Support for reading bzlmod lock file
    • Support for reading maven lock file
  • “How To” guides
    • produce a license audit
    • produce an SBOM

Q1 2024

  • Add support for other package manager lock file formats
    • ? Python
    • Golang
    • NodeJS
  • More SPDX SBOM fields
    • support for including vendor SBOMs

Beyond

  • Performance improvements

  • Sub-SBOMs for tools

  • TBD

Background reading:

These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.