From 1fceb84146d768644707f356897552a669b0c5e9 Mon Sep 17 00:00:00 2001 From: Jeroen Knoops Date: Mon, 27 Sep 2021 07:19:49 +0100 Subject: [PATCH 01/17] Analyze script to verify license information from various sources --- scripts/analyze.sh | 157 +++++++++++++++++++++++++++++++++++++++++++++ scripts/shared.yml | 4 ++ 2 files changed, 161 insertions(+) create mode 100755 scripts/analyze.sh create mode 100644 scripts/shared.yml diff --git a/scripts/analyze.sh b/scripts/analyze.sh new file mode 100755 index 0000000..9c43389 --- /dev/null +++ b/scripts/analyze.sh @@ -0,0 +1,157 @@ +#!/bin/sh + +################################################################### +# Script to batch-analyze Black Duck component licenses against 3rd +# party metadata. +# +# Optional $1 parameter is the URL of a BOM-Base server +# +# Recipe of this script: +# +# The listed project versions are extracted from Black Duck as SPDX +# files and a tree of Package URLs. The tree of Package URLs is used +# to create a second SPDX file using independent metadata from ClearlyDefined +# and package management repositories. The declared licenses from both +# sources are compared, resulting in a list of all packages and a diff list of +# packages where the declared licenses don't match. These lists are merged +# across all projects, and separate lists are extracted for specific package +# types (e.g. Maven, NuGet, NPM). These lists provide an indications of the +# license diffs per type of development environment. +################################################################### +set -e + +BLACKDUCK_PROJECT="blackduck-project" +BLACKDUCK_VERSION="blackduck-version" +FILENAME="analyse-output-filename" + +function info () { + echo " +================================================================================================ " + echo " | ${1}" + echo " +------------------------------------------------------------------------------------------------ " +} + +function checkEnvironmentVariables () { + info "Check Environment Variables" + if [ -z $BLACKDUCK_API_TOKEN ]; then + echo " | BLACKDUCK_API_TOKEN is not set" + exit 1 + fi + + if [ -z $BLACKDUCK_URL ]; then + echo " | BLACKDUCK_URL is not set" + exit 1 + fi +} + +checkEnvironmentVariables + +BOM_BASE_URL="http://localhost:8080" +if [ "$1" ]; then + BOM_BASE_URL=$1 +fi + +function checkBOMBaseAvailable () { + info "Check BOMBase is running" + # Aborts if BOM-Base server cannot be reached + if [ $(curl --write-out '%{http_code}' --head --silent --output /dev/null $BOM_BASE_URL/packages) -ne 200 ]; then + echo " | Could not reach BOM-Base at URL $BOM_BASE_URL (see https://github.com/philips-software/bom-base)" + exit 1 + fi +} + +checkBOMBaseAvailable + +# Aborts if the specified tool is not installed +# $1 is the command name +# $2 is a link to installation instructions for the tool +function checkInstalled () { + if ! type $1 &> /dev/null; then + echo "Requires '$1' (see $2)" + exit 1 + fi +} + +info "Check Installed tools" + +# Ensure the required tools are installed +checkInstalled spdx-builder https://github.com/philips-software/spdx-builder +checkInstalled bompare https://github.com/philips-labs/bompare + +# Extracts an SPDX and tree file from a Black Duck project. +# $1 is the Black Duck project +# $2 is the Black Duck project version +# $3 is the nick name +function exportFromBD () { + if [ -f "$3.spdx" ] && [ -f "$3.tree" ]; then + echo " | Skipping Black Duck export for $1 $2; files already exist" + else + echo " | Exporting $3 could take a while..." + spdx-builder blackduck $1 $2 -o "$3.spdx" --tree > "$3.tree" 2>&1 + fi +} + +# Builds an SPDX file from a tree file. +# $1 is the nick name +function buildFromTree () { + echo " | Building $1 from tree..." + cat $1.tree | spdx-builder tree --format purl --config "shared.yml" --bombase $BOM_BASE_URL --force -o "$1-tree.spdx" +} + +# Lists differences between Black Duck and tree SPDX files. +# $1 is the nick name +function licensesDiff () { + bompare licenses --spdx-tag-value "$1.spdx" --spdx-tag-value "$1-tree.spdx" --out "$1-diff.csv" --diffOnly +} + +# Lists all packages in the Black Duck SPDX output. +# $1 is the nick name +function listPackages() { + echo " | list Packages" + bompare bom --spdx-tag-value "$1.spdx" --out "$1-all.csv" +} + +# Start with and empty list of projects +ALL=() + +# Processes a single project +# $1 is the Black Duck project +# $2 is the Black Duck project version +# $3 is the nick name +function blackduck () { + info "Blackduck function $1 $2 $3" + exportFromBD $1 $2 $3 + listPackages $3 + buildFromTree $3 + licensesDiff $3 + ALL+=( $3 ) +} + +# Collect and process per Black Duck project version +blackduck $BLACKDUCK_PROJECT $BLACKDUCK_VERSION $FILENAME + +# Truncate totals files +rm -f packages.csv +rm -f diffs.csv + +# Merge packages of all projects +for PROJECT in ${ALL[@]}; do + cat "$PROJECT-all.csv" >> packages.csv + cat "$PROJECT-diff.csv" >> diffs.csv +done +sort -u "packages.csv" -o "packages.csv" +sort -u "diffs.csv" -o "diffs.csv" + +# Extracts a package type from the diffs +# $1 is the group name +function extractType () { + grep "^\"pkg:$1/" packages.csv > "$1-packages.csv" + PACKAGES=$(grep -c ^ "$1-packages.csv") + grep "^\"pkg:$1/" diffs.csv > "$1-diffs.csv" + DIFFS=$(grep -c ^ "$1-diffs.csv") + echo "Type $1 totals $PACKAGES with $DIFFS license mismatches" +} + +extractType nuget +extractType npm +extractType maven +extractType pypi diff --git a/scripts/shared.yml b/scripts/shared.yml new file mode 100644 index 0000000..94ba321 --- /dev/null +++ b/scripts/shared.yml @@ -0,0 +1,4 @@ +document: + title: Sample SPDX SBOM for analysis + organization: Philips Research + comment: "*** This is NOT a production SBOM ***" From 23c4c641b7561a26cba4c4c6c3262ac03eaf3f80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Oct 2021 08:05:54 +0000 Subject: [PATCH 02/17] chore(deps-dev): Bump equalsverifier from 3.7.1 to 3.7.2 Bumps [equalsverifier](https://github.com/jqno/equalsverifier) from 3.7.1 to 3.7.2. - [Release notes](https://github.com/jqno/equalsverifier/releases) - [Changelog](https://github.com/jqno/equalsverifier/blob/main/CHANGELOG.md) - [Commits](https://github.com/jqno/equalsverifier/compare/equalsverifier-3.7.1...equalsverifier-3.7.2) --- updated-dependencies: - dependency-name: nl.jqno.equalsverifier:equalsverifier dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 80ecb6e..ef94c9b 100644 --- a/pom.xml +++ b/pom.xml @@ -79,7 +79,7 @@ nl.jqno.equalsverifier equalsverifier - 3.7.1 + 3.7.2 test From 463daebf0f3c3b5899e81af7cc1af1449735efe9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Oct 2021 08:05:22 +0000 Subject: [PATCH 03/17] chore(deps): Bump spring-boot-starter-parent from 2.5.5 to 2.5.6 Bumps [spring-boot-starter-parent](https://github.com/spring-projects/spring-boot) from 2.5.5 to 2.5.6. - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](https://github.com/spring-projects/spring-boot/compare/v2.5.5...v2.5.6) --- updated-dependencies: - dependency-name: org.springframework.boot:spring-boot-starter-parent dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ef94c9b..610b363 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ org.springframework.boot spring-boot-starter-parent - 2.5.5 + 2.5.6 com.philips.research From 96106bd9318f6b69bce5dda3c37404137b08a38e Mon Sep 17 00:00:00 2001 From: Jeroen Knoops Date: Mon, 1 Nov 2021 08:52:38 +0100 Subject: [PATCH 04/17] Split script to make it possible to scan multiple projects. --- scripts/analyze-all.sh | 85 ++++++++++++++++++++++++++++++++++++++++++ scripts/analyze.sh | 53 +++++--------------------- 2 files changed, 94 insertions(+), 44 deletions(-) create mode 100755 scripts/analyze-all.sh diff --git a/scripts/analyze-all.sh b/scripts/analyze-all.sh new file mode 100755 index 0000000..ba03152 --- /dev/null +++ b/scripts/analyze-all.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash + +################################################################### +# Script to batch-analyze Black Duck component licenses against 3rd +# party metadata. +# +# Optional $1 parameter is the URL of a BOM-Base server +# +# Recipe of this script: +# +# The listed project versions are extracted from Black Duck as SPDX +# files and a tree of Package URLs. The tree of Package URLs is used +# to create a second SPDX file using independent metadata from ClearlyDefined +# and package management repositories. The declared licenses from both +# sources are compared, resulting in a list of all packages and a diff list of +# packages where the declared licenses don't match. These lists are merged +# across all projects, and separate lists are extracted for specific package +# types (e.g. Maven, NuGet, NPM). These lists provide an indications of the +# license diffs per type of development environment. +################################################################### +set -e + +readonly projects=( + 'blackduck-project|blackduck-version|analyse-output-filename' + 'blackduck-project-2|blackduck-version-2|analyse-output-filename-2' +) + +function info () { + echo " +================================================================================================ " + echo " | ${1}" + echo " +------------------------------------------------------------------------------------------------ " +} + +# Start with and empty list of projects +ALL=() + +# Processes a single project +# $1 is the Black Duck project +# $2 is the Black Duck project version +# $3 is the nick name +# $4 is the BomBase url +function blackduck () { + ./analyze.sh $1 $2 $3 $4 + ALL+=( $3 ) +} + +function scan_projects () { + local project version filename + for fields in ${projects[@]} + do + IFS=$'|' read -r project version filename <<< "$fields" + # Collect and process per Black Duck project version + blackduck "$project" "$version" "$filename" "$1" + done +} + +scan_projects + +# Truncate totals files +rm -f packages.csv +rm -f diffs.csv + +# Merge packages of all projects +for PROJECT in ${ALL[@]}; do + cat "$PROJECT-all.csv" >> packages.csv + cat "$PROJECT-diff.csv" >> diffs.csv +done +§ +sort -u "packages.csv" -o "packages.csv" +sort -u "diffs.csv" -o "diffs.csv" + +# Extracts a package type from the diffs +# $1 is the group name +function extractType () { + grep "^\"pkg:$1/" packages.csv > "$1-packages.csv" + PACKAGES=$(grep -c ^ "$1-packages.csv") + grep "^\"pkg:$1/" diffs.csv > "$1-diffs.csv" + DIFFS=$(grep -c ^ "$1-diffs.csv") + echo "Type $1 totals $PACKAGES with $DIFFS license mismatches" +} + +extractType nuget +extractType npm +extractType maven +extractType pypi diff --git a/scripts/analyze.sh b/scripts/analyze.sh index 9c43389..355bd6e 100755 --- a/scripts/analyze.sh +++ b/scripts/analyze.sh @@ -4,7 +4,10 @@ # Script to batch-analyze Black Duck component licenses against 3rd # party metadata. # -# Optional $1 parameter is the URL of a BOM-Base server +# Mandatory $1 Blackduck project +# Mandatory $2 Blackduck version +# Mandatory $3 filename +# Optional $4 parameter is the URL of a BOM-Base server # # Recipe of this script: # @@ -13,17 +16,10 @@ # to create a second SPDX file using independent metadata from ClearlyDefined # and package management repositories. The declared licenses from both # sources are compared, resulting in a list of all packages and a diff list of -# packages where the declared licenses don't match. These lists are merged -# across all projects, and separate lists are extracted for specific package -# types (e.g. Maven, NuGet, NPM). These lists provide an indications of the -# license diffs per type of development environment. +# packages where the declared licenses don't match. ################################################################### set -e -BLACKDUCK_PROJECT="blackduck-project" -BLACKDUCK_VERSION="blackduck-version" -FILENAME="analyse-output-filename" - function info () { echo " +================================================================================================ " echo " | ${1}" @@ -46,8 +42,8 @@ function checkEnvironmentVariables () { checkEnvironmentVariables BOM_BASE_URL="http://localhost:8080" -if [ "$1" ]; then - BOM_BASE_URL=$1 +if [ "$4" ]; then + BOM_BASE_URL=$4 fi function checkBOMBaseAvailable () { @@ -107,12 +103,9 @@ function licensesDiff () { # $1 is the nick name function listPackages() { echo " | list Packages" - bompare bom --spdx-tag-value "$1.spdx" --out "$1-all.csv" + bompare bom --spdx-tag-value "$1.spdx" --out "$1-all.csv" } -# Start with and empty list of projects -ALL=() - # Processes a single project # $1 is the Black Duck project # $2 is the Black Duck project version @@ -123,35 +116,7 @@ function blackduck () { listPackages $3 buildFromTree $3 licensesDiff $3 - ALL+=( $3 ) } # Collect and process per Black Duck project version -blackduck $BLACKDUCK_PROJECT $BLACKDUCK_VERSION $FILENAME - -# Truncate totals files -rm -f packages.csv -rm -f diffs.csv - -# Merge packages of all projects -for PROJECT in ${ALL[@]}; do - cat "$PROJECT-all.csv" >> packages.csv - cat "$PROJECT-diff.csv" >> diffs.csv -done -sort -u "packages.csv" -o "packages.csv" -sort -u "diffs.csv" -o "diffs.csv" - -# Extracts a package type from the diffs -# $1 is the group name -function extractType () { - grep "^\"pkg:$1/" packages.csv > "$1-packages.csv" - PACKAGES=$(grep -c ^ "$1-packages.csv") - grep "^\"pkg:$1/" diffs.csv > "$1-diffs.csv" - DIFFS=$(grep -c ^ "$1-diffs.csv") - echo "Type $1 totals $PACKAGES with $DIFFS license mismatches" -} - -extractType nuget -extractType npm -extractType maven -extractType pypi +blackduck $1 $2 $3 From 978febcf5a04eb2f914128aaae681abe2e39113f Mon Sep 17 00:00:00 2001 From: Jeroen Knoops Date: Wed, 3 Nov 2021 08:53:35 +0100 Subject: [PATCH 05/17] add analyze-all script to run analyze on multiple projects and aggregate the results Co-authored-by: Brend Smits --- scripts/analyze-all.sh | 16 +++++++++++----- scripts/analyze.sh | 18 +++++++++--------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/scripts/analyze-all.sh b/scripts/analyze-all.sh index ba03152..0010f8b 100755 --- a/scripts/analyze-all.sh +++ b/scripts/analyze-all.sh @@ -20,6 +20,12 @@ ################################################################### set -e + +BOM_BASE_URL="http://localhost:8080" +if [ "$1" ]; then + BOM_BASE_URL=$1 +fi + readonly projects=( 'blackduck-project|blackduck-version|analyse-output-filename' 'blackduck-project-2|blackduck-version-2|analyse-output-filename-2' @@ -40,17 +46,17 @@ ALL=() # $3 is the nick name # $4 is the BomBase url function blackduck () { - ./analyze.sh $1 $2 $3 $4 + ./analyze.sh "$1" "$2" "$3" "$4" ALL+=( $3 ) } function scan_projects () { local project version filename - for fields in ${projects[@]} + for fields in "${projects[@]}" do IFS=$'|' read -r project version filename <<< "$fields" # Collect and process per Black Duck project version - blackduck "$project" "$version" "$filename" "$1" + blackduck "$project" "$version" "$filename" "$BOM_BASE_URL" done } @@ -61,11 +67,11 @@ rm -f packages.csv rm -f diffs.csv # Merge packages of all projects -for PROJECT in ${ALL[@]}; do +for PROJECT in "${ALL[@]}"; do cat "$PROJECT-all.csv" >> packages.csv cat "$PROJECT-diff.csv" >> diffs.csv done -§ + sort -u "packages.csv" -o "packages.csv" sort -u "diffs.csv" -o "diffs.csv" diff --git a/scripts/analyze.sh b/scripts/analyze.sh index 355bd6e..edd318e 100755 --- a/scripts/analyze.sh +++ b/scripts/analyze.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash ################################################################### # Script to batch-analyze Black Duck component licenses against 3rd @@ -28,12 +28,12 @@ function info () { function checkEnvironmentVariables () { info "Check Environment Variables" - if [ -z $BLACKDUCK_API_TOKEN ]; then + if [ -z "$BLACKDUCK_API_TOKEN" ]; then echo " | BLACKDUCK_API_TOKEN is not set" exit 1 fi - if [ -z $BLACKDUCK_URL ]; then + if [ -z "$BLACKDUCK_URL" ]; then echo " | BLACKDUCK_URL is not set" exit 1 fi @@ -111,12 +111,12 @@ function listPackages() { # $2 is the Black Duck project version # $3 is the nick name function blackduck () { - info "Blackduck function $1 $2 $3" - exportFromBD $1 $2 $3 - listPackages $3 - buildFromTree $3 - licensesDiff $3 + info "Blackduck function "$1" "$2" "$3"" + exportFromBD "$1" "$2" "$3" + listPackages "$3" + buildFromTree "$3" + licensesDiff "$3" } # Collect and process per Black Duck project version -blackduck $1 $2 $3 +blackduck "$1" "$2" "$3" From 6294eee73e9962e37d27b43107f9a0782ad484aa Mon Sep 17 00:00:00 2001 From: Jeroen Knoops Date: Sun, 21 Nov 2021 08:45:51 +0100 Subject: [PATCH 06/17] add curate scripts --- scripts/curate-licenses.sh | 224 +++++++++++++++++++++++++++++++++++++ scripts/curate-packages.sh | 200 +++++++++++++++++++++++++++++++++ 2 files changed, 424 insertions(+) create mode 100755 scripts/curate-licenses.sh create mode 100755 scripts/curate-packages.sh diff --git a/scripts/curate-licenses.sh b/scripts/curate-licenses.sh new file mode 100755 index 0000000..180b034 --- /dev/null +++ b/scripts/curate-licenses.sh @@ -0,0 +1,224 @@ +#!/bin/sh + +################################################################### +# Script to manually curate licenses in BOM-Base using the REST API. +# Optional $1 parameter specifies BOM-Base server (defaults to local). +################################################################### + +set -e + +BOM_BASE_URL="http://localhost:8080" +if [ "$1" ]; then + BOM_BASE_URL=$1 +fi + +# Aborts if BOM-Base server cannot be reached +if [ $(curl --write-out '%{http_code}' --head --silent --output /dev/null $BOM_BASE_URL/packages) -ne 200 ]; then + echo "Could not reach BOM-Base at URL $BOM_BASE_URL (see https://github.com/philips-software/bom-base)" + exit 1 +fi + +################################################################### +# Curates a license URL +# $1 holds the license URL +# $2 holds the license for the URL +################################################################### +function curateURL() { + curl --request POST -sS -H 'Content-Type: application/json' \ + -d "{\"license\":\"$1\",\"curation\":\"$2\"}" \ + "$BOM_BASE_URL/licenses" > /dev/null +} + +################################################################### +# Append all curations here: +# (Don't forget to use the proper quotes) +################################################################### +curateURL 'http://developer.apple.com/library/mac/#samplecode/AppleJavaExtensions/Listings/README_txt.html#//apple_ref/doc/uid/DTS10000677-README_txt-DontLinkElementID_3' 'AppleJavaExtensions-proprietary' +curateURL 'http://www-128.ibm.com/developerworks/library/os-cpl.html' 'CPL-1.0' +curateURL 'http://www-128.ibm.com/developerworks/library/os-cpl.html0' 'CPL-1.0' +curateURL 'http://www-128.ibm.com/developerworks/library/os-cpl.html1' 'CPL-1.0' +curateURL 'http://www.gnu.org/copyleft/gpl.html' 'GPL-2.0-or-later' +curateURL 'http://www.gnu.org/licenses/gpl.txt' 'GPL-3.0-or-later' +curateURL 'https://www.eclipse.org/legal/epl-2.0/' 'EPL-2.0' +curateURL 'http://www.eclipse.org/org/documents/epl-v10.php' 'EPL-1.0' +curateURL 'https://www.eclipse.org/legal/epl-2.0' 'EPL-2.0' +curateURL 'http://www.apache.org/license/LICENSE-2.0.txt' 'Apache-2.0' +curateURL 'https://spdx.org/licenses/Apache-2.0' 'Apache-2.0' +curateURL 'https://www.apache.org/licenses/LICENSE-2.0.txt' 'Apache-2.0' +curateURL 'https://licenses.nuget.org/MS-PL%2520OR%2520Apache-2.0' 'MS-PL OR Apache-2.0' +curateURL 'https://licenses.nuget.org/MS-PL%20OR%20Apache-2.0' 'MS-PL OR Apache-2.0' +curateURL 'http://www.apache.org/licenses/LICENSE-2.0' 'Apache-2.0' +curateURL 'https://www.apache.org/licenses/LICENSE-2.0' 'Apache-2.0' +curateURL 'http://www.apache.org/licenses' 'Apache-2.0' +curateURL 'http://www.apache.org/licenses/' 'Apache-2.0' +curateURL 'https://spdx.org/licenses/Apache-2.0' 'Apache-2.0' +curateURL 'https://aws.amazon.com/apache2.0' 'Apache-2.0' +curateURL 'http://www.bouncycastle.org/licence.html' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html0' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html1' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html2' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html3' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html4' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html5' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html6' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html7' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html8' 'MIT' +curateURL 'http://www.bouncycastle.org/licence.html9' 'MIT' +curateURL 'http://creativecommons.org/publicdomain/zero/1.0/' 'CC0-1.0' +curateURL 'http://creativecommons.org/publicdomain/zero/1.0/0' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/0' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/1' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/2' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/3' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/4' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/5' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/6' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/7' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/8' 'CC0-1.0' +curateURL 'https://creativecommons.org/publicdomain/zero/1.0/9' 'CC0-1.0' +curateURL 'http://www.gnu.org/licenses/gpl-2.0.txt' 'GPL-2.0-only' +curateURL 'https://www.gnu.org/licenses/gpl-2.0.txt' 'GPL-2.0-only' +curateURL 'http://www.gnu.org/licenses/lgpl-2.1.html' 'LGPL-2.1-only' +curateURL 'https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html' 'LGPL-2.1-only' +curateURL 'http://www.gnu.org/licenses/lgpl.html' 'LGPL-3.0-or-later' +curateURL 'http://glassfish.java.net/public/CDDL+GPL_1_1.html' 'CDDL-1.1 OR GPL-2.0-only' +curateURL 'https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html' 'CDDL-1.1 OR GPL-2.0-only' +curateURL 'https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html' 'CDDL-1.1 OR GPL-2.0-only' +curateURL ' https://glassfish.dev.java.net/public/CDDLv1.0.html' 'CDDL-1.0' +curateURL 'http://www.mozilla.org/MPL/MPL-1.0.txt' 'MPL-1.0' +curateURL 'https://www.mozilla.org/MPL/MPL-1.1.txt' 'MPL-1.1' +curateURL 'http://www.mozilla.org/MPL/2.0/' 'MPL-2.0' +curateURL 'http://www.wtfpl.net/' 'WTFPL' +curateURL 'https://spdx.org/licenses/BSD 2-Clause#licenseText' 'BSD-2-Clause' +curateURL 'http://aws.amazon.com/apache2.0/' 'Apache-2.0' +curateURL 'http://go.microsoft.com/fwlink/?LinkID=262998' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkId=329770' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkId=3297700' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkId=3297701' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkId=3297702' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkId=3297703' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkId=3297704' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkId=529443' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?linkid=833178' 'Microsoft .NET Library License' +curateURL 'http://www.microsoft.com/web/webpi/eula/aspnetcomponent_rtw_ENU.htm' 'Microsoft .NET Library License' +curateURL 'http://www.microsoft.com/web/webpi/eula/net_library_eula_ENU.htm' 'Microsoft .NET Library License' +curateURL 'https://webpifeed.blob.core.windows.net/webpifeed/eula/net_library_eula_enu.htm' 'Microsoft .NET Library License' +curateURL 'http://go.microsoft.com/fwlink/?LinkID=214339' 'Microsoft ASP.NET Library License' +curateURL 'https://licenses.nuget.org/MIT' 'MIT' +curateURL 'https://github.com/dotnet/corefx/blob/master/LICENSE.TXT' 'MIT' +curateURL 'https://www.mozilla.org/en-US/MPL/MPL-1.1.txt' 'MPL-1.1' +curateURL 'https://spdx.org/licenses/BSD' 'BSD-3-Clause' +curateURL 'https://spdx.org/licenses/MIT' 'MIT' +curateURL 'http://www.sun.com/cddl/cddl.html' 'CDDL-1.0' +curateURL 'https://opensource.org/licenses/MPL-2.0' 'MPL-2.0' +curateURL 'https://aka.ms/deprecateLicenseUrl' '' +curateURL 'http://opensource.org/licenses/ms-pl.html' 'MS-PL' +curateURL 'http://www.opensource.org/licenses/ms-pl' 'MS-PL' +curateURL 'http://opensource.org/licenses/MIT' 'MIT' +curateURL 'https://opensource.org/licenses/mit-license.php' 'MIT' +curateURL 'http://www.opensource.org/licenses/mit-license.php' 'MIT' +curateURL 'http://mpdreamz.mit-license.org/' 'MIT' +curateURL 'http://www.fsf.org/licensing/licenses/agpl-3.0.html' 'AGPL-3.0' +curateURL 'http://www.mozilla.org/MPL/MPL-1.1.txt' 'MPL-1.1' +curateURL 'https://www.gnu.org/software/classpath/license.html' 'GPL-2.0-or-later WITH Classpath-exception-2.0' +curateURL 'http://repository.jboss.org/licenses/gpl-2.0-ce.txt' 'GPL-2.0-or-later WITH Classpath-exception-2.0' +curateURL 'http://www.gnu.org/licenses/gpl-3.0-standalone.html' 'GPL-3.0-only' +curateURL 'https://opensource.org/licenses/MIT' 'MIT' +curateURL 'http://www.eclipse.org/legal/epl-2.0' 'EPL-2.0' +curateURL 'http://opensource.org/licenses/mit-license.php' 'MIT' +curateURL 'http://www.gnu.org/licenses/licenses.html' '' +curateURL 'http://opensource.org/licenses/BSD-3-Clause' 'BSD-3-Clause' +curateURL 'http://www.apache.org/licenses/LICENSE-2.0.txt' 'Apache-2.0' +curateURL 'http://www.apache.org/licenses/LICENSE-2.0.html' 'Apache-2.0' +curateURL 'http://www.gnu.org/licenses/gpl.html' 'GPL-3.0-or-later' +curateURL 'https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/master/LICENSE.txt' 'MIT' +curateURL 'http://www.eclipse.org/org/documents/edl-v10.php' 'BSD-3-Clause' +curateURL 'https://licenses.nuget.org/BSD-3-Clause' 'BSD-3-Clause' +curateURL 'https://www.gnu.org/licenses/lgpl-2.0.html' 'LGPL-2.0i-only' +curateURL 'pkg:maven/com.rabbitmq/http-client@1.0.0.M1' 'Apache-2.0' +curateURL 'pkg:maven/com.sendgrid/sendgrid-java@4.6.2' 'MIT' +curateURL 'pkg:maven/com.vlkan.log4j2/log4j2-logstash-layout@0.10' 'GPL-3.0-or-later' +curateURL 'pkg:maven/io.springfox.ui/springfox-swagger-ui-rfc6570@1.0.0' 'Apache-2.0' +curateURL 'pkg:maven/io.takari/maven-wrapper@0.1.2' 'EPL-1.0' +curateURL 'pkg:maven/junit/junit@4.11' 'CPL-1.0' +curateURL 'pkg:maven/org.assertj/assertj-core@2.6.0' 'Apache-2.0' +curateURL 'pkg:maven/org.dom4j/dom4j@2.1.0' 'DOM4J' +curateURL 'pkg:maven/org.dom4j/dom4j@2.1.3' 'DOM4J' +curateURL 'pkg:maven/org.gradle/gradle-base-annotations@6.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-base-services@4.0-milestone-1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-base-services@5.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-base-services@6.1-milestone-3' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-bootstrap@5.6.2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-build-cache-base@6.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-build-cache-packaging@6.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-build-cache@6.1-milestone-3' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-cli@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-core-api@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-core@3.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-core@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-execution@6.1-rc-3' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-files@6.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-hashing@6.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-ide-native@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-ide-play@6.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-ide@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-installation-beacon@5.6.4' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-ivy@5.6.2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-javascript@5.6.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-jvm-services@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-kotlin-dsl-tooling-models@6.1-milestone-3' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-language-java@6.1-milestone-1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-language-java@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-language-native@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-language-scala@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-launcher@6.1-rc-1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-logging@3.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-logging@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-maven@5.6.2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-messaging@3.5' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-messaging@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-model-core@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-model-groovy@6.1-milestone-2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-native@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-normalization-java@6.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-platform-base@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-platform-jvm@5.6.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-platform-native@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-platform-play@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-plugin-use@6.1-rc-1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-plugins@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-publish@5.6.2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-reporting@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-resources-gcs@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-resources-http@6.0-rc-2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-resources-s3@6.1-rc-2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-resources-sftp@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-resources@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-runtime-api-info@6.1-milestone-2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-scala@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-signing@5.6.2' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-snapshots@6.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-test-kit@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-testing-base@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-testing-junit-platform@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-testing-jvm@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-testing-native@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-tooling-api-builders@6.1.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-tooling-api@3.5.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-tooling-native@6.0.1' 'Apache-2.0' +curateURL 'pkg:maven/org.gradle/gradle-version-control@6.1-milestone-2' 'Apache-2.0' +curateURL 'pkg:maven/org.jacoco/jacoco@0.8.5' 'EPL-2.0' +curateURL 'pkg:maven/org.mockito/mockito-all@1.10.19' 'MIT' +curateURL 'pkg:maven/org.mockito/mockito-core@2.28.2' 'MIT' +curateURL 'pkg:maven/org.mockito/mockito-core@3.1.0' 'MIT' +curateURL 'pkg:maven/org.projectlombok/lombok@1.16.14' 'MIT' +curateURL 'pkg:maven/org.projectlombok/lombok@1.16.16' 'MIT' +curateURL 'pkg:maven/org.projectlombok/lombok@1.18.10' 'MIT' +curateURL 'pkg:maven/org.projectlombok/lombok@1.18.12' 'MIT' +curateURL 'pkg:maven/org.projectlombok/lombok@1.18.16' 'MIT' +curateURL 'pkg:maven/org.testng/testng@6.9.10' 'Apache-2.0' +curateURL 'pkg:maven/org.webjars.bower/angular-chart.js@0.8.8' 'BSD-3-Clause' +curateURL 'pkg:maven/redis.clients/jedis@2.10.2' 'MIT' +curateURL 'pkg:maven/redis.clients/jedis@2.9.0' 'MIT' +curateURL 'pkg:maven/xalan/xalan@2.7.2' 'Apache-2.0' diff --git a/scripts/curate-packages.sh b/scripts/curate-packages.sh new file mode 100755 index 0000000..21b6c42 --- /dev/null +++ b/scripts/curate-packages.sh @@ -0,0 +1,200 @@ +#!/bin/sh + +################################################################### +# Script to manually curate licenses in BOM-Base using the REST API. +# Optional $1 parameter specifies BOM-Base server (defaults to local). +################################################################### + +set -e + +BOM_BASE_URL="http://localhost:8080" +if [ "$1" ]; then + BOM_BASE_URL=$1 +fi + +# Aborts if BOM-Base server cannot be reached +if [ $(curl --write-out '%{http_code}' --head --silent --output /dev/null $BOM_BASE_URL/packages) -ne 200 ]; then + echo "Could not reach BOM-Base at URL $BOM_BASE_URL (see https://github.com/philips-software/bom-base)" + exit 1 +fi + +################################################################### +# Applies URL encoding +# $1 holds the string to encode +# Returns the URL-encoded string +################################################################### +function urlencode() { + local string="${1}" + local strlen=${#string} + local encoded="" + local pos c o + + for (( pos=0 ; pos /dev/null +} + + +################################################################### +# Append all package license curations here: +# (Don't forget to use the proper quotes) +################################################################### +curate 'pkg:npm/svg2ttf@1.2.0' 'MIT' +curate 'pkg:maven/com.github.jnr/jnr-posix@3.0.27' 'CPL-1.0 OR GPL-2.0-only OR LGPL-2.1' +curate 'pkg:maven/com.ibm.icu/icu4j@4.6' 'ICU' +curate 'pkg:maven/com.ibm.icu/icu4j@59.1' 'ICU' +curate 'pkg:maven/org.mockito/mockito-core@1.10.19' 'MIT' +curate 'pkg:maven/org.mockito/mockito-core@3.3.3' 'MIT' +curate 'pkg:maven/org.mockito/mockito-junit-jupiter@3.3.3' 'MIT' +curate 'pkg:maven/org.postgresql/postgresql@9.4-1206-jdbc42' 'PostgreSQL' +curate 'pkg:maven/xmlpull/xmlpull@1.1.3.1' 'Indiana Extreme License 1.1.1' +curate 'pkg:nuget/7-Zip.StandaloneConsole.x64@19.0.0' 'LGPL-2.1-or-later OR BSD-3-Clause' +curate 'pkg:nuget/BCrypt-Official@0.1.109' 'BSD-3-Clause' +curate 'pkg:nuget/BarcodeLib@2.2.3' 'Apache-2.0' +curate 'pkg:nuget/BoDi@1.4.0-alpha1' 'Apache-2.0' +curate 'pkg:nuget/BoDi@1.4.1' 'Apache-2.0' +curate 'pkg:nuget/CommandLineParser@2.4.3' 'MIT' +curate 'pkg:nuget/CommandLineParser@2.7.82' 'MIT' +curate 'pkg:nuget/DDay.iCal@1.0.1' 'BSD-3-Clause' +curate 'pkg:nuget/DHTMLX.Scheduler.NET@3.4.0' 'Proprietary' +curate 'pkg:nuget/Gherkin@6.0.0' 'MIT' +curate 'pkg:nuget/Gherkin@6.0.0-beta1' 'MIT' +curate 'pkg:nuget/Google.Protobuf@3.7.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.ElementModel@1.2.1' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.ElementModel@1.6.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.STU3@1.2.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.STU3@1.2.1' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.STU3@1.6.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Serialization@1.2.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Serialization@1.6.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Specification.STU3@1.2.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Support.Poco@1.6.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Support@1.2.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Support@1.2.1' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Support@1.6.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.FhirPath@1.2.1' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.FhirPath@1.6.0' 'BSD-3-Clause' +curate 'pkg:nuget/Microsoft.CodeCoverage@16.5.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/Microsoft.NET.Test.Sdk@16.5.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/Microsoft.TeamFoundation.DistributedTask.Common.Contracts@16.153.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/Microsoft.TeamFoundationServer.Client@16.153.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/Microsoft.TestPlatform.ObjectModel@16.5.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/Microsoft.TestPlatform.TestHost@16.5.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/Microsoft.VisualStudio.Services.Client@16.153.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/NUnit3TestAdapter@3.16.1' 'MIT' +curate 'pkg:nuget/NUnit@3.12.0' 'MIT' +curate 'pkg:nuget/Npgsql@3.2.7' 'PostgreSQL' +curate 'pkg:nuget/RestSharp@106.6.9' 'Apache-2.0' +curate 'pkg:nuget/Sendgrid@9.11.0' 'MIT' +curate 'pkg:nuget/SonarAnalyzer.CSharp@8.7.0.17535' 'LGPL-3.0-only' +curate 'pkg:nuget/SpecFlow.Autofac@3.0.225' 'BSD-3-Clause' +curate 'pkg:nuget/SpecFlow.Autofac@3.1.86' 'BSD-3-Clause' +curate 'pkg:nuget/SpecFlow.NUnit@3.0.22' 'BSD-3-Clause' +curate 'pkg:nuget/SpecFlow.NUnit@3.1.86' 'BSD-3-Clause' +curate 'pkg:nuget/SpecFlow.Tools.MsBuild.Generation@3.0.225' 'BSD-3-Clause' +curate 'pkg:nuget/SpecFlow.Tools.MsBuild.Generation@3.1.86' 'BSD-3-Clause' +curate 'pkg:nuget/SpecFlow@3.0.225' 'BSD-3-Clause' +curate 'pkg:nuget/SpecFlow@3.1.86' 'BSD-3-Clause' +curate 'pkg:nuget/SpecSync.AzureDevOps.SpecFlow.3-0@2.1.10' 'Spec Solutions EULA' +curate 'pkg:nuget/SpecSync.AzureDevOps@2.1.10' 'Spec Solutions EULA' +curate 'pkg:nuget/System.IO.Abstractions@6.0.15' 'MIT' +curate 'pkg:nuget/housework@0.1.9' 'MIT' +curate 'pkg:nuget/protobuf-net.Protogen@2.3.17' 'Apache-2.0' +curate 'pkg:nuget/protobuf-net@2.4.0' 'Apache-2.0' +curate 'pkg:nuget/sqlite-net-sqlcipher@1.5.231' 'MIT' +curate 'pkg:pypi/cryptography@3.4.7' 'Apache-2.0 OR BSD-3-Clause' +curate 'pkg:pypi/packaging@20.9' 'Apache-2.0 OR BSD-2-Clause' +curate 'pkg:nuget/Microsoft.CSharp@4.5.0' 'MIT' +curate 'pkg:nuget/jQuery@1.6.4' 'MIT' +curate 'pkg:nuget/Gherkin@6.0.0-beta1' 'MIT' +curate 'pkg:nuget/BoDi@1.4.0-alpha1' 'Apache-2.0' +curate 'pkg:nuget/RazorEngine@3.10.0' 'Apache-2.0' +curate 'pkg:nuget/RestSharp@106.6.9' 'Apache-2.0' +curate 'pkg:nuget/Google.Protobuf@3.7.0' 'BSD-3-Clause' +curate 'pkg:nuget/Gherkin@6.0.0' 'MIT' +curate 'pkg:nuget/System.Data.SQLite.Core@1.0.106' 'Public Domain' +curate 'pkg:nuget/System.Data.SQLite.EF6@1.0.106' 'Public Domain' +curate 'pkg:nuget/System.Data.SQLite.EF6@1.0.106' 'Public Domain' +curate 'pkg:nuget/System.Data.SQLite@1.0.106' 'Public Domain' +curate 'pkg:npm/%40hypnosphi/kotlin-extensions@0.0.2' 'Apache-2.0' +curate 'pkg:npm/becke-ch--regex--s0-0-v1--base--pl--lib@1.4.0' 'MIT' +curate 'pkg:npm/ng2-file-upload@1.4.0' 'MIT' +curate 'pkg:npm/openjpeg.js@0.10.2' 'BSD-2-Clause' +curate 'pkg:npm/store2@2.12.0' 'MIT' +curate 'pkg:npm/timers-browserify' 'MIT' +curate 'pkg:npm/ttf2woff@1.3.0' 'MIT' +curate 'pkg:nuget/CGenT.Sprache.Release@1.0.0.1' 'MIT' +curate 'pkg:nuget/CommandLineParser@2.8.0' 'MIT' +curate 'pkg:nuget/DocumentFormat.OpenXml@1.0' 'MIT' +curate 'pkg:nuget/DotNetZip@1.13.3' 'MS-PL AND Zlib AND Apache-2.0 AND MIT' +curate 'pkg:nuget/DotNetZip@1.15.0' 'MS-PL AND Zlib AND Apache-2.0 AND MIT' +curate 'pkg:nuget/EnterpriseLibrary.Caching@5.0.505.0' 'MS-PL' +curate 'pkg:nuget/GraphViz.NET@1.0.' 'MIT' +curate 'pkg:nuget/Hangfire.Core@1.7.19' 'LGPL-3.0-or-later OR Commercial' +curate 'pkg:nuget/Hangfire.SqlServer@1.7.19' 'LGPL-3.0-or-later OR Commercial' +curate 'pkg:nuget/Hl7.Fhir.ElementModel@1.2.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.ElementModel@1.3.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.ElementModel@1.5.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.STU3@1.3.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.STU3@1.5.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Serialization@1.3.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Serialization@1.5.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Support.Poco@1.5.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Support@1.3.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.Fhir.Support@1.5.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.FhirPath@1.2.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.FhirPath@1.3.0' 'BSD-3-Clause' +curate 'pkg:nuget/Hl7.FhirPath@1.5.0' 'BSD-3-Clause' +curate 'pkg:nuget/MartinCostello.Logging.XUnit@0.1.0' 'Apache-2.0' +curate 'pkg:nuget/Microsoft.Data.SqlClient.SNI@2.0.0' 'Microsoft .NET Library License' +curate 'pkg:nuget/Microsoft.OData.Core@7.7.1' 'MIT' +curate 'Microsoft.OData.Edm@7.7.1' 'MIT' +curate 'pkg:nuget/Microsoft.Spatial@7.7.1' 'MIT' +curate 'Microsoft.SqlServer.Management.SqlParser' 'SQL Server Shared Management Objects (SMO) License' +curate 'Microsoft.SqlServer.SqlManagementObjects' 'SQL Server Shared Management Objects (SMO) License' +curate 'pkg:nuget/NSubstitute@3.1.0' 'BSD-3-Clause' +curate 'pkg:nuget/NetMQ@4.0.0.1' 'LGPL-3.0-or-later' +curate 'pkg:nuget/NetSpell@2.1.7' 'BSD-3-Clause' +curate 'pkg:nuget/RabbitMQ.Client@5.1.0' 'Apache-2.0 OR MPL-2.0' +curate 'pkg:nuget/SharpZipLib.NETStandard@1.0.7' 'MIT' +curate 'pkg:nuget/SonarAnalyzer.CSharp@8.1.0.13383' 'LGPL-3.0-or-later' +curate 'pkg:nuget/SonarAnalyzer.CSharp@8.7.0.17535' 'LGPL-3.0-or-later' +curate 'pkg:nuget/SpecFlow.NUnit@3.0.225' 'BSD-3-Clause' +curate 'pkg:nuget/System.Text.Encoding.CodePages@4.6.0-preview6.19264.9' 'MIT' +curate 'pkg:nuget/p3-sharpcompress@0.10.5.2' 'MIT' +curate 'pkg:nuget/protobuf-net@2.3.4' 'Apache-2.0' +curate 'pkg:maven/com.jcabi/jcabi-aspects@0.22.5' 'Apache-2.0' +curate 'pkg:maven/ch.qos.logback/logback-classic@1.1.11' 'EPL-1.0 OR LGPL-2.1-or-later' +curate 'pkg:maven/ch.qos.logback/logback-classic@1.1.7' 'EPL-1.0 OR LGPL-2.1-or-later' +curate 'pkg:maven/ch.qos.logback/logback-classic@1.2.3' 'EPL-1.0 OR LGPL-2.1-or-later' +curate 'pkg:maven/ch.qos.logback/logback-core@1.1.11' 'EPL-1.0 OR LGPL-2.1-or-later' +curate 'pkg:maven/ch.qos.logback/logback-core@1.1.7' 'EPL-1.0 OR LGPL-2.1-or-later' +curate 'pkg:maven/ch.qos.logback/logback-core@1.2.3' 'EPL-1.0 OR LGPL-2.1-or-later' +curate 'pkg:maven/apache-xerces/xercesImpl@2.9.1' 'Apache-2.0' +curate 'pkg:maven/com.alibaba.spring/spring-context-velocity' 'Apache-2.0' +curate 'pkg:maven/com.amazon.redshift/redshift-jdbc42-no-awssdk@1.2.10.1009' 'Amazon Redshift ODBC and JDBC Driver License' +curate 'pkg:maven/com.amazon.redshift/redshift-jdbc42@1.2.1.1001' 'Amazon Redshift ODBC and JDBC Driver License' +curate 'pkg:maven/com.amazon.redshift/redshift-jdbc42@1.2.10.1009' 'Amazon Redshift ODBC and JDBC Driver License' +curate 'pkg:maven/com.amazonaws/aws-java-sdk-iot@1.11.792' 'Apache-2.0' +curate 'pkg:maven/com.jcabi.incubator/xembly@0.22' 'BSD-3-Clause' +curate 'pkg:maven/com.mockrunner/mockrunner-core@2.0.4' 'Apache-1.1' +curate 'pkg:maven/com.mockrunner/mockrunner-servlet@2.0.4' 'Apache-1.1' +curate 'pkg:maven/com.oracle/ojdbc7@12.1.0.2' 'Proprietary' + From c24c4c8347c462bdba781898efa27ac5c7702ce7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Nov 2021 08:05:39 +0000 Subject: [PATCH 07/17] chore(deps): Bump philips-software/spdx-action from 0.8.0 to 0.9.0 Bumps [philips-software/spdx-action](https://github.com/philips-software/spdx-action) from 0.8.0 to 0.9.0. - [Release notes](https://github.com/philips-software/spdx-action/releases) - [Changelog](https://github.com/philips-software/spdx-action/blob/develop/CHANGELOG.md) - [Commits](https://github.com/philips-software/spdx-action/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: philips-software/spdx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/licenses.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml index 61a0cdf..2ce4911 100644 --- a/.github/workflows/licenses.yml +++ b/.github/workflows/licenses.yml @@ -15,7 +15,7 @@ jobs: - name: Create spdx-file id: spdx-builder - uses: philips-software/spdx-action@v0.8.0 + uses: philips-software/spdx-action@v0.9.0 with: project: bom-base - uses: actions/upload-artifact@v2.2.4 From 3d438028dd72da7ea52d41590d6e54be7c2b4534 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Nov 2021 08:05:46 +0000 Subject: [PATCH 08/17] chore(deps): Bump actions/setup-python from 2.2.2 to 2.3.0 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.2.2 to 2.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v2.2.2...v2.3.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b4264c3..9420f4c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,7 +42,7 @@ jobs: distribution: 'zulu' - name: Setup python - uses: actions/setup-python@v2.2.2 + uses: actions/setup-python@v2.3.0 with: python-version: '3.9' From 4feab134937d2736f81833164c26ae0898efcbe0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Nov 2021 08:05:49 +0000 Subject: [PATCH 09/17] chore(deps): Bump spring-boot-starter-parent from 2.5.6 to 2.6.0 Bumps [spring-boot-starter-parent](https://github.com/spring-projects/spring-boot) from 2.5.6 to 2.6.0. - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](https://github.com/spring-projects/spring-boot/compare/v2.5.6...v2.6.0) --- updated-dependencies: - dependency-name: org.springframework.boot:spring-boot-starter-parent dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 610b363..3e343c4 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ org.springframework.boot spring-boot-starter-parent - 2.5.6 + 2.6.0 com.philips.research From 1a23d57cd82725a66e851428135a013cd505f487 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Dec 2021 08:04:41 +0000 Subject: [PATCH 10/17] chore(deps): Bump actions/setup-python from 2.3.0 to 2.3.1 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v2.3.0...v2.3.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9420f4c..404094a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,7 +42,7 @@ jobs: distribution: 'zulu' - name: Setup python - uses: actions/setup-python@v2.3.0 + uses: actions/setup-python@v2.3.1 with: python-version: '3.9' From 88e79ee1ce945dc3265a5f581e19b63176c1d017 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Dec 2021 08:04:41 +0000 Subject: [PATCH 11/17] chore(deps): Bump spring-boot-starter-parent from 2.6.0 to 2.6.1 Bumps [spring-boot-starter-parent](https://github.com/spring-projects/spring-boot) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](https://github.com/spring-projects/spring-boot/compare/v2.6.0...v2.6.1) --- updated-dependencies: - dependency-name: org.springframework.boot:spring-boot-starter-parent dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3e343c4..c321cf2 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ org.springframework.boot spring-boot-starter-parent - 2.6.0 + 2.6.1 com.philips.research From 5acdabe5c7761772069f63a579a1aaa726d34051 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Dec 2021 08:04:44 +0000 Subject: [PATCH 12/17] chore(deps-dev): Bump equalsverifier from 3.7.2 to 3.8 Bumps [equalsverifier](https://github.com/jqno/equalsverifier) from 3.7.2 to 3.8. - [Release notes](https://github.com/jqno/equalsverifier/releases) - [Changelog](https://github.com/jqno/equalsverifier/blob/main/CHANGELOG.md) - [Commits](https://github.com/jqno/equalsverifier/compare/equalsverifier-3.7.2...equalsverifier-3.8) --- updated-dependencies: - dependency-name: nl.jqno.equalsverifier:equalsverifier dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3e343c4..ebb70c9 100644 --- a/pom.xml +++ b/pom.xml @@ -79,7 +79,7 @@ nl.jqno.equalsverifier equalsverifier - 3.7.2 + 3.8 test From 7584d103c1b46d415572c2cbecd39aa1dbf7b595 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Dec 2021 08:07:12 +0000 Subject: [PATCH 13/17] chore(deps): Bump actions/download-artifact from 2.0.10 to 2.1.0 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2.0.10 to 2.1.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v2.0.10...v2.1.0) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 404094a..8a79de9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -53,7 +53,7 @@ jobs: extractcode --version - name: Download fronted from the frontend job - uses: actions/download-artifact@v2.0.10 + uses: actions/download-artifact@v2.1.0 with: name: frontend path: frontend @@ -96,7 +96,7 @@ jobs: uses: actions/checkout@v2 - name: Download backend from the backend job - uses: actions/download-artifact@v2.0.10 + uses: actions/download-artifact@v2.1.0 with: name: backend path: target From e4760be931d593b170a91b94429cce588c2522c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Dec 2021 08:12:08 +0000 Subject: [PATCH 14/17] chore(deps): Bump actions/upload-artifact from 2.2.4 to 2.3.1 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.2.4 to 2.3.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v2.2.4...v2.3.1) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 4 ++-- .github/workflows/licenses.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 404094a..9f329ca 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: cd ui ./install_ui - - uses: actions/upload-artifact@v2.2.4 + - uses: actions/upload-artifact@v2.3.1 with: name: frontend path: | @@ -70,7 +70,7 @@ jobs: - name: Test with Maven run: mvn --no-transfer-progress test - - uses: actions/upload-artifact@v2.2.4 + - uses: actions/upload-artifact@v2.3.1 with: name: backend path: | diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml index 2ce4911..1f55852 100644 --- a/.github/workflows/licenses.yml +++ b/.github/workflows/licenses.yml @@ -18,7 +18,7 @@ jobs: uses: philips-software/spdx-action@v0.9.0 with: project: bom-base - - uses: actions/upload-artifact@v2.2.4 + - uses: actions/upload-artifact@v2.3.1 with: name: licenses path: ${{ steps.spdx-builder.outputs.spdx-file }} From e54eaaabbfd94ff42394f96c9a67fb54237e2731 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Dec 2021 08:12:21 +0000 Subject: [PATCH 15/17] chore(deps-dev): Bump equalsverifier from 3.8 to 3.8.1 Bumps [equalsverifier](https://github.com/jqno/equalsverifier) from 3.8 to 3.8.1. - [Release notes](https://github.com/jqno/equalsverifier/releases) - [Changelog](https://github.com/jqno/equalsverifier/blob/main/CHANGELOG.md) - [Commits](https://github.com/jqno/equalsverifier/compare/equalsverifier-3.8...equalsverifier-3.8.1) --- updated-dependencies: - dependency-name: nl.jqno.equalsverifier:equalsverifier dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2e5e6c4..94f0908 100644 --- a/pom.xml +++ b/pom.xml @@ -79,7 +79,7 @@ nl.jqno.equalsverifier equalsverifier - 3.8 + 3.8.1 test From 117303be64c83c0e09354f5ab20f2b2733dbcd2d Mon Sep 17 00:00:00 2001 From: Jeroen Knoops Date: Fri, 24 Dec 2021 14:03:15 +0100 Subject: [PATCH 16/17] use tree based dependency searching Signed-off-by: Jeroen Knoops --- .github/workflows/licenses.yml | 41 ++++++++++++++++++++++------------ .spdx-builder.yml | 13 +++-------- 2 files changed, 30 insertions(+), 24 deletions(-) diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml index 1f55852..0535ae3 100644 --- a/.github/workflows/licenses.yml +++ b/.github/workflows/licenses.yml @@ -7,18 +7,31 @@ jobs: scanLicenses: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-java@v2 - with: - java-version: '11.0.1' - distribution: 'zulu' + - uses: actions/checkout@v2 + - uses: actions/setup-java@v2 + with: + java-version: '11.0.13' + distribution: 'zulu' - - name: Create spdx-file - id: spdx-builder - uses: philips-software/spdx-action@v0.9.0 - with: - project: bom-base - - uses: actions/upload-artifact@v2.3.1 - with: - name: licenses - path: ${{ steps.spdx-builder.outputs.spdx-file }} + - name: Create dependencies list + run: | + ./mvnw dependency:tree + ./mvnw dependency:tree > dependencies.txt + + - name: Show dependencies.txt + run: | + cat dependencies.txt + + - name: Create spdx-file + id: spdx-builder + uses: philips-software/spdx-action@v0.9.1.1 + with: + project: bom-base + mode: 'tree' + tree: dependencies.txt + format: maven + + - uses: actions/upload-artifact@v2.3.1 + with: + name: licenses + path: ${{ steps.spdx-builder.outputs.spdx-file }} diff --git a/.spdx-builder.yml b/.spdx-builder.yml index 532280c..040cbcc 100644 --- a/.spdx-builder.yml +++ b/.spdx-builder.yml @@ -4,13 +4,6 @@ document: comment: key: namespace: "https://research.philips.com/bom-base" -projects: - - id: "Maven:com.philips.research:BOM-base:0.2.1" - purl: "pkg:maven/philips/BOM-base@v0.2.1" - excluded: - - "test*" - - "development*" - - "runtime*" - - "annotation*" - - "archives" - - id: "Pub::ui/pubspec.yaml:" +internal: + - com.philips.research:* + From 27ddfad6094402ba87e0d26dfa4cc7c6982629da Mon Sep 17 00:00:00 2001 From: Jeroen Knoops Date: Fri, 24 Dec 2021 16:17:09 +0100 Subject: [PATCH 17/17] Prepare for v0.3.0 release --- .github/workflows/build.yml | 2 +- CONTRIBUTING.md | 4 +--- pom.xml | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 55a8558..d9d3c9b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -106,4 +106,4 @@ jobs: with: dockerfile: docker/Dockerfile image-name: bom-base - tags: 0 0.2 0.2.1 v0.2.1 latest ${{ github.sha }} + tags: 0 0.3 0.3.0 v0.3.0 latest ${{ github.sha }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d2e7558..4d2b5f7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -51,9 +51,7 @@ This needs to be improved in the future, but for now: Change version into new version in file / linenumber: - `pom.xml` : line 13. -- `.spdx-builder.yml` : line 8. -- `.spdx-builder.yml` : line 9. -- `.github/workflows/build.yml` : line 95. (docker tags) +- `.github/workflows/build.yml` : line 109. (docker tags) Commit changes: diff --git a/pom.xml b/pom.xml index 94f0908..ed203be 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ com.philips.research BOM-base - 0.2.1-SNAPSHOT + 0.3.0-SNAPSHOT BOM-base FOSS metadata repository