Skip to content

Commit

Permalink
Update sbom-tools documentation
Browse files Browse the repository at this point in the history
Signed-off-by: Sebastian Schildt <[email protected]>
  • Loading branch information
SebastianSchildt committed Mar 29, 2024
1 parent e45f0b0 commit 4293261
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 4 deletions.
7 changes: 4 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,10 @@ Content of this repository

| Content | Location | Comment |
| ------------ | ----------- | ------------ |
| Official VSS releases in JSON format | [vss](./vss) | Supported by both KUKSA Databroker and KUKSA Server
| KUKSA Example keys and certificates for TLS | [tls](./tls) | Supported by both KUKSA Databroker and KUKSA Server
| KUKSA Databroker Tokens | [jwt](./jwt/) | Not supported by KUKSA Server
| Official VSS releases in JSON format | [vss](./vss) | Supported by both KUKSA Databroker and KUKSA Server |
| KUKSA Example keys and certificates for TLS | [tls](./tls) | Supported by both KUKSA Databroker and KUKSA Server |
| KUKSA Databroker Tokens | [jwt](./jwt/) | Not supported by KUKSA Server |
| SBOM tools | [sbom-tools](./sbom-tools) | Used in CI |

*Note: The tokens supported by KUKSA Server are available in [kuksa.val](https://github.com/eclipse/kuksa.val/tree/master/kuksa_certificates/jwt) repository!*

Expand Down
56 changes: 55 additions & 1 deletion sbom-tools/Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,58 @@

Some helper scripts supporting handling and generation of sboms.

You can install this with pip
You can install this with pip like this

```
pip install "git+https://github.com/eclipse-kuksa/kuksa-common.git@main#subdirectory=sbom-tools"
```

For productive deploylments in CI, you should replace `main` with a git tag or a commit hash.

## Tool: collectlicensefiles
This tool will read a CycloneDX SBOM and tries to extract the license text for all found components, collecting them into an output folder.

```
collectlicensefiles --help
usage: collectlicensefiles [-h] [--curation CURATION] [--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}] sbom dir
positional arguments:
sbom CycloneDX SBOM in JSON format
dir Output directory
optional arguments:
-h, --help show this help message and exit
--curation CURATION Curation file
--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the log level
```
### Current limitations
The tool requires that the output folder does not exist when it starts up.

Currently the tool copies each license file once, it does currently not create a long file where it explicitely adds a license per component.


### Curations
It is possible to do curations in a YAML file, that is useful when a clean license expression can not be extraced for a specific component, or in case of dual licensed components, only include one of the possible licenses.

This is an exmple of a component curation

```yaml
components:
ring:
expression: "ring AND ISC AND OPENSSL"
```
This makes sure, that in case of a component named `ring`, the ring, ISC and OPENSSL licenses will be copied

This is a generic license expression

```yaml
expressions:
"Apache-2.0 OR MIT": "Apache-2.0"
```

This makes sure, that for any component that is licensed either under Apache-2.0 or MIT license, we choose Apache-2.0 license terms.

> [!WARNING]
> There will be no sanity check whether the mapping is allowed in terms of licenses.

0 comments on commit 4293261

Please sign in to comment.