Add example

Signed-off-by: Sebastian Schildt <[email protected]>
eclipse-kuksa · Apr 4, 2024 · 9e99dfe · 9e99dfe
1 parent 4d960dc
commit 9e99dfe
Show file tree

Hide file tree

Showing 3 changed files with 6,899 additions and 3 deletions.
diff --git a/sbom-tools/README.md b/sbom-tools/README.md
@@ -4,16 +4,17 @@ Some helper scripts supporting handling and generation of sboms.
 
 You can install this with pip like this
 
-```
+```sh
 pip install "git+https://github.com/eclipse-kuksa/kuksa-common.git@main#subdirectory=sbom-tools"
 ```
 
 For productive deploylments in CI, you should replace `main` with a git tag or a commit hash.
 
 ## Tool: collectlicensefiles
+
 This tool will read a CycloneDX SBOM and tries to extract the license text for all found components, collecting them into an output folder.
 
-```
+```txt
 collectlicensefiles --help
 usage: collectlicensefiles [-h] [--curation CURATION] [--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}] sbom dir
 
@@ -27,13 +28,15 @@ optional arguments:
   --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
                         Set the log level
 ```
+
 ### Current limitations
+
 The tool requires that the output folder does not exist when it starts up.
 
 Currently the tool copies each license file once, it does currently not create a long file where it explicitely adds a license per component.
 
-
 ### Curations
+
 It is possible to do curations in a YAML file, that is useful when a clean license expression can not be extraced for a specific component, or in case of dual licensed components, only include one of the possible licenses.
 
 This is an exmple of a component curation
@@ -57,3 +60,12 @@ This makes sure, that for any component that is licensed either under Apache-2.0
 
 > [!WARNING]
 > There will be no sanity check whether the mapping is allowed in terms of licenses.
+>
+
+## Example files
+
+You can find example files in [here](./example). You can run them like this
+
+```sh
+collectlicensefiles ../kuksa-common/sbom-tools/example/example.cdx.json --curation ../kuksa-common/sbom-tools/example/example-curation.yaml outputdir
+```
diff --git a/sbom-tools/example/example-curation.yaml b/sbom-tools/example/example-curation.yaml
@@ -0,0 +1,19 @@
+# Example file for thirdparty licenses
+
+components:
+  # ring is based on the standard OpenSSL and BoringSSL
+  # projects, thus licensing of the codebase is complex depending
+  # on parts. This makes sure that except the explanatory text
+  # in ring (and thus in the generated CycloneDX file) are copied
+  # as well as the vanilla text of the ISC and OPENSSL license
+  # OpenSSL seems to be in the process to move to Apache-2.0, but this
+  # may take some time
+  ring:
+    expression: "ring AND ISC AND OPENSSL"
+
+
+expressions:
+    # LLVM exception not relevant for the project, thus in situation
+    # like this we choose to use vanilla Apache-2.0 terms
+    "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT": "Apache-2.0"
+    "Unlicense OR MIT": "MIT"