When characterising SBOMs from the perspective of data at first (data-first), there are two main format specifications that inform the discussion around SBOM representations, CycloneDX and SPDX.
- CycloneDX - Software Bill of Materials (SBOM), OWASP ecosystem
- SPDX specification v2.3.0, cloud-native ecosystem
As they spring from different ecosystems, eras and learnings, they bring different tooling with them. For the previous reasons of assuming a container-native development environment in #50, we will focus on the cloud-native approach with SPDX here.
Remarks on the SBOM platform choice
An example pipeline in the OWASP example with dashboard is given with:
- security - Integrating OWASP Dependency-Track into GitLab CI/CD Pipeline - Stack Overflow
- Dependency-Track | Software Bill of Materials (SBOM) Analysis | OWASP
Licence compatibility tooling is possible with standardised formats and methods. This does not mean that there are other approaches to solving the riddle.
- HansHammel/license-compatibility-checker: Check npm dependencies’ package.json for license compatibility (aka compliance check) with the current project based on spdx notation and naming conventions.
- librariesio/license-compatibility:
Check compatibility between different SPDX licenses
A notable addition is
flict, a license compatibility tool. It integrates the OSADL matrix and allows for computational inferrence of the actual compatibility.
- vinland-technology/flict: free and open source software license compatibility tool.
- flict/EXAMPLES.md at main · vinland-technology/flict
- priv-kweihmann/osadl-matrix: OSADL license compatibility matrix as a CSV
- Access to raw data: OSADL - Open Source Automation Development Lab eG
- OSADL Open Source License Checklists: OSADL - Open Source Automation Development Lab eG
Its vendor also offers an integrated container with multiple tools, which is sufficiently up to date.
Programs on the image
- compliance-utils (misc tools)
- flict
- license-detector
- ninka
- ort
- reuse
- scancode
For people who feel tempted to learn more about the actual implementations, the
go-license-detectorhas a readme section about the quality of source code license classifiers, and they keep an analysis of documentation practices that lead to detection failure. The Ninka link is broken here, but the project is on GitHub.
- go-enry/go-license-detector: Reliable project licenses detector.
- go-license-detector/FAILURES.md at master · go-enry/go-license-detector
- dmgerman/ninka: a license identification tool for Source Code
This collection of compliance tools could be considered canonical for some use cases. We will have to come up with our own requirements and answers to them later.
Exploring the SPDX ecosystem
The SPDX ecosystem springs around the idea of Handling License Info with SPDX. Conventional practices in the field are combined in FSF’s REUSE initiative that proposes to write one line with a small license header into every source code file.
From an even higher level, license compatibility can be seen as a specific case of licence compliance, esp. in governmental and corporate environments, and REUSE offer a Comparison of license compliance projects. In addition, the SPDX initiative holds a list of Open Source Tools, from validating CLI tools via SPDX generators in various languages to large-scale license auditing platforms for repositories in internal and public source code forges and artifact stores.
Hommage à l'ascendance: OWASP, CycloneDX and DependencyTrack
The SPDX community builds on previous experience in enterprise compliance and license management. This list is not exhaustive, and does not contain (legacy) platforms like ClearlyDefined or FOSSology recommended by REUSE.
- CycloneDX/cyclonedx-cli: CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
- CycloneDX/license-scanner: Utility that provides an API and CLI to identify licenses and legal terms
- CycloneDX/sbom-utility: Utility that provides an API platform for validating, querying and managing BOM data
- DependencyTrack/dependency-track: Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
- Component Analysis | OWASP Foundation
Screening SPDX tooling and further resources
SPDX generators
The main work of SPDX generation is automated by CLI tooling that is employed in CI pipelines. These are common projects built on different language platforms. Choosing a compiled language will greatly decrease execution time, as no script interpreter is involved. The effect adds up upon multiple runs, why emphasis on speed is good here.
- oss-review-toolkit/ort: A suite of tools to automate software compliance checks. (Kotlin)
- tern-tools/tern: Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what’s inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (Python, support for scancode)
- nexB/scancode-toolkit:
ScanCode detects licenses, copyrights, dependencies by „scanning code“ … to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors! (Python, C)
- microsoft/sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. (C#)
- opensbom-generator/spdx-sbom-generator: Support CI generation of SBOMs via golang tooling. (Go)
- anchore/syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems (Go)
Visualisation
There are other projects for visualising SPDX data, either in a browser workbench, or as DOT files for graphviz graphs.
- nexB/scancode-workbench:
ScanCode Workbench is a desktop app to review and conclude license and origin from code scans generated by ScanCode Toolkit. (Python)
- oss-review-toolkit/ort-workbench: A desktop workbench for OSS Review Toolkit result files. (Kotlin)
- sbom2dot · PyPI
flinc2dotfromflictcompliance-utilsabove, which visualises license compatibility, and not the inventorySPDX platforms
More integrated management of SPDX for large numbers of repositories is possible with dedicated platforms.
- Introducing self-service SBOMs - The GitHub Blog
- nexB/scancode.io: ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors! (Python)
- FOSSLight | Open Source Governance with FOSSLight
- SCANOSS | Open Source Inventorying Engine (C, Spain)
Cloud-native vulnerability scanning, including SPDX SBOM
The whole story around more standardised SBOMs emerged in parallel with discussions on vulnerability scanning in immutable, cloud-native environments. Microsoft lead the way here around SPDX and put a lot of effort in supporting this in the Azure cloud, while the ecosystem eventually catched up. But others like Snyk (commercial) and Aqua Security Trivy (FLOSS) were already concerned with automatic scanning of software artifacts, but with regards to security. It was only natural for them to also acquire the capability to generate SBOMs.
Trivy, the most common FLOSS tool employed in this area, has widespread integration with other platforms, e.g. the container and OCI artifact registry Harbor, as well as CI pipelines.
- anchore/grype: A vulnerability scanner for container images and filesystems (Go)
- aquasecurity/trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more (Go)
- goharbor/harbor: An open source trusted cloud native registry project that stores, signs, and scans content. (Go)
As we can witness, most cloud-native tooling is written in Go.
Auxiliary resources
Notable findings in the SPDX ecosystem
While technical and corporate in nature, we can extract some practical and theoretical knowledge from the context provided here. First, there is a simple web app that allows to display and analyse the content of SPDX records. Second, we find an exhaustive tutorial by an author of another CC content on the subject of license compatibility, written ten years later. It subsumes many of the discussions around SPDX, and what it is used for. Third we also find a reference to Nix, which has native support for deriving SPDX records from its more sophisticated data model about software.
Web app
The SPDX initiative offers a web application to analyse and modify SPDX documents further.
Tutorial
This piece from 2016 onwards is written by the author of the licence compatibility chart on Wikipedia from 2007 above and very exhaustive, including actual reasoning about license recommendations. It is the most permissive OSI license MIT, our current one, which is preferred there. The AGPL doesn’t find a mention.
Adjacent Nix theory about The Purely Functional Software Deployment Model
edolstra.github.io/pubs/phd-thesis.pdf at master · edolstra/edolstra.github.io
More on what this means for us and what we can do with that information now in the last part.
