Version 0.1.8 of the PkgToSoftwareBOM.jl package has been released.
PkgToSoftwareBOM.jl produces a Software Bill of Materials (SBOM) describing your Julia environment. At this time, the SBOM produced is in the (SPDX) format. Contributions to support other SBOM formats are welcome.
I created PkgToSoftwareBOM.jl to help the Julia ecosystem get prepared for the emerging future of software supply chain security. If we want to see Julia adoption to continue to grow, then we need to be able to easily create SBOMs to supply to the organizations using Julia packages.
Since the last announcement, there has been an sigificant improvement to the generated Software BOM. PkgToSoftwareBOM.jl now documents all artifacts used in your Julia environment. The artifact download URLs are correct for the operating system and CPU architecture of your host platform.
Here is an example of how an SBOM documents the package GR_jll and the artifact GR that it uses
"packages": [
.......
{
"name": "GR",
"SPDXID": "SPDXRef-06b5a80271d985bdfa723f023e105b4b580f30ca",
"supplier": "NOASSERTION",
"originator": "NOASSERTION",
"downloadLocation": "https://github.com/JuliaBinaryWrappers/GR_jll.jl/releases/download/GR-v0.73.0+0/GR.v0.73.0.aarch64-apple-darwin.tar.gz",
"filesAnalyzed": true,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "c58ca7ccbefaf2a7c186f3bc4e7c3a931ed3a3d69f2af84948a69327f24d03c2"
}
],
"homepage": "NOASSERTION",
"sourceInfo": "The artifact download URL was determined using the following platform specific parameters:\narch: aarch64\nos: macos\n",
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"summary": "This is a Julia artifact. \nAn artifact is a binary runtime or other data store not written in the Julia language that is used by a Julia package.",
"comment": "The SPDX ID field is derived from the Git tree hash of the artifact files which is used to uniquely identify it."
},
{
"name": "GR_jll",
"SPDXID": "SPDXRef-GR_jll-d2c73de3-f751-5644-a686-071e5b155ba9",
"versionInfo": "0.73.0+0",
"supplier": "NOASSERTION",
"originator": "NOASSERTION",
"downloadLocation": "git+https://github.com/JuliaBinaryWrappers/GR_jll.jl.git@v0.73.0+0",
"filesAnalyzed": true,
"packageVerificationCode": {
"packageVerificationCodeValue": "abd4325e075e684718854298c2e79014587eb9b0"
},
"homepage": "https://github.com/JuliaBinaryWrappers/GR_jll.jl.git",
"sourceInfo": "Source Code Location is supplied by the General registry:\nhttps://github.com/JuliaRegistries/General.git",
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"summary": "This is a Julia package, written in the Julia language.",
"comment": "The SPDX ID field is derived from the UUID that all Julia packages are assigned by their developer to uniquely identify it."
},
........
],
"relationships": [
..........
{
"spdxElementId": "SPDXRef-06b5a80271d985bdfa723f023e105b4b580f30ca",
"relationshipType": "RUNTIME_DEPENDENCY_OF",
"relatedSpdxElement": "SPDXRef-GR_jll-d2c73de3-f751-5644-a686-071e5b155ba9"
},
{
"spdxElementId": "SPDXRef-GR_jll-d2c73de3-f751-5644-a686-071e5b155ba9",
"relationshipType": "DEPENDENCY_OF",
"relatedSpdxElement": "SPDXRef-GR-28b8d3ca-fb5f-59d9-8090-bfdbd6d07a71"
}
..........
]