[ANN] PkgToSoftwareBOM v0.1.10: Package License now included in the SBOM

Version 0.1.10 of the PkgToSoftwareBOM.jl package has been released.

PkgToSoftwareBOM.jl produces a Software Bill of Materials (SBOM) describing your Julia environment. At this time, the SBOM produced is in the (SPDX) format. Contributions to support other SBOM formats are welcome.

I created PkgToSoftwareBOM.jl to help the Julia ecosystem get prepared for the emerging future of software supply chain security. If we want to see Julia adoption to continue to grow, then we need to be able to easily create SBOMs to supply to the organizations using Julia packages.

Since the last announcement, there has been a significant improvement to the generated Software BOM. PkgToSoftwareBOM now scans all packages and artifacts for software licenses, records all the different licenses found, and makes a best effort to determine what license has been declared by the author to govern the entire package.

Here is an example of a package and an artifact where multiple software licenses have been detected:

    "packages": [
      .......
        {
            "name": "DataFrames",
            "SPDXID": "SPDXRef-DataFrames-a93c6f00-e57d-5684-b7b6-d8193f3e46c0",
            "versionInfo": "1.6.1",
            "supplier": "NOASSERTION",
            "originator": "NOASSERTION",
            "downloadLocation": "git+https://github.com/JuliaData/DataFrames.jl.git@v1.6.1",
            "filesAnalyzed": true,
            "packageVerificationCode": {
                "packageVerificationCodeValue": "94b7776ca0a139163d26b8aea090b08783b52ac7"
            },
            "homepage": "https://github.com/JuliaData/DataFrames.jl.git",
            "sourceInfo": "Source Code Location is supplied by the General registry:\nhttps://github.com/JuliaRegistries/General.git",
            "licenseConcluded": "NOASSERTION",
            "licenseInfoFromFiles": [
                "MIT",
                "CC0-1.0"
            ],
            "licenseDeclared": "MIT",
            "copyrightText": "NOASSERTION",
            "summary": "This is a Julia package, written in the Julia language.",
            "comment": "The SPDX ID field is derived from the UUID that all Julia packages are assigned by their developer to uniquely identify it."
        },
........
        {
            "name": "Libiconv",
            "SPDXID": "SPDXRef-92b949e2f3a66439c69a8d334fc95810fbd9df9b",
            "supplier": "NOASSERTION",
            "originator": "NOASSERTION",
            "downloadLocation": "https://github.com/JuliaBinaryWrappers/Libiconv_jll.jl/releases/download/Libiconv-v1.17.0+0/Libiconv.v1.17.0.aarch64-apple-darwin.tar.gz",
            "filesAnalyzed": true,
            "packageVerificationCode": {
                "packageVerificationCodeValue": "c61b890869c884b566ef0e805205987a519c89a9",
                "packageVerificationCodeExcludedFiles": [
                    "lib/libcharset.dylib",
                    "lib/libiconv.dylib"
                ]
            },
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "608336f578104c2b556d5c6cbfe1d00bc1ec15b863659f2b72d252138b28d7ad"
                }
            ],
            "homepage": "NOASSERTION",
            "sourceInfo": "The artifact download URL was determined using the following platform specific parameters:\narch: aarch64\nos: macos\n",
            "licenseConcluded": "NOASSERTION",
            "licenseInfoFromFiles": [
                "LGPL-2.0-or-later",
                "LGPL-2.1-or-later",
                "GPL-3.0",
                "GPL-3.0-or-later"
            ],
            "licenseDeclared": "GPL-3.0",
            "copyrightText": "NOASSERTION",
            "summary": "This is a Julia artifact. \nAn artifact is a binary runtime or other data store not written in the Julia language that is used by a Julia package.",
            "comment": "The SPDX ID field is derived from the Git tree hash of the artifact files which is used to uniquely identify it."
        },
4 Likes