refactor the crappy sbom generator as an aspect
3 files changed
tree: 815b5e14164407e540981e23e5d0f6e0cbc21729
- .bazelci/
- .github/
- admin/
- distro/
- doc_build/
- docs/
- examples/
- licenses/
- rules/
- rules_gathering/
- sample_reports/
- tests/
- tools/
- .gitignore
- BUILD
- CODEOWNERS
- deps.bzl
- LICENSE
- MODULE.bazel
- README.md
- version.bzl
- WORKSPACE
- WORKSPACE.bzlmod
README.md
rules_license
CI: 
This repository contains a set of rules and tools for
- declaring metadata about packages, such as
- the licenses the package is available under
- the canonical package name and version
- copyright information
- ... and more TBD in the future
- gathering license declarations into artifacts to ship with code
- applying organization specific compliance constriants against the set of packages used by a target.
- producing SBOMs for built artifacts.
WARNING: The code here is still in active initial development and will churn a lot.
Contact
If you want to follow along:
Roadmap
Last update: October 22, 2023
Q4 2023
- Reference implementation for “packages used” tool
- produce JSON output usable for SBOM generation or other compliance reporting.
- Reference implementation for an SPDX SBOMM generator
- Support for reading bzlmod lock file
- Support for reading maven lock file
- “How To” guides
- produce a license audit
- produce an SBOM
Q1 2024
- Add support for other package manager lock file formats
- More SPDX SBOM fields
- support for including vendor SBOMs
Beyond
Performance improvements
Sub-SBOMs for tools
TBD
Background reading:
These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.
