{"id":34508096,"url":"https://github.com/heriet/hatto","last_synced_at":"2025-12-24T03:18:23.100Z","repository":{"id":57747005,"uuid":"480164439","full_name":"heriet/hatto","owner":"heriet","description":"CLI for software license check","archived":false,"fork":false,"pushed_at":"2022-08-07T07:19:20.000Z","size":25,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-13T12:04:21.295Z","etag":null,"topics":["license","license-checking","oss-compliance"],"latest_commit_sha":null,"homepage":"https://heriet.github.io/hatto/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/heriet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-04-10T23:21:54.000Z","updated_at":"2025-03-18T13:18:01.000Z","dependencies_parsed_at":"2022-09-03T00:21:28.235Z","dependency_job_id":null,"html_url":"https://github.com/heriet/hatto","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/heriet/hatto","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heriet%2Fhatto","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heriet%2Fhatto/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heriet%2Fhatto/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heriet%2Fhatto/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/heriet","download_url":"https://codeload.github.com/heriet/hatto/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heriet%2Fhatto/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27994388,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-24T02:00:07.193Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["license","license-checking","oss-compliance"],"created_at":"2025-12-24T03:18:21.125Z","updated_at":"2025-12-24T03:18:23.092Z","avatar_url":"https://github.com/heriet.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# hatto\n\nhatto is CLI for SBOM policy evaluation.\n\n## Installation\n\n```sh\ncargo install hatto\n```\n\nor\n\n```sh\ndocker pull ghcr.io/heriet/hatto:latest\n```\n\n## Requirements\n\nhatto is using [PyO3](https://github.com/PyO3/pyo3). So, hatto requires Python shared library.\n\n```sh\nsudo apt install python3-dev\n```\n\n## Usage\n\n### evaluate\n\n```sh\nhatto evaluate \u003cSBOM or tsv file\u003e\n```\n\non docker\n\n```sh\ndocker run -v $(PWD):/work ghcr.io/heriet/hatto:latest evaluate \u003cSBOM or tsv file\u003e\n```\n\n```sh\n$ hatto evaluate --help\nevaluate policy\n\nUSAGE:\n    hatto evaluate [OPTIONS] \u003cFILE\u003e\n\nARGS:\n    \u003cFILE\u003e    \n\nOPTIONS:\n    -c, --curation \u003cFILE\u003e              \n    -h, --help                         Print help information\n    -o, --output \u003cOUTPUT_FORMAT\u003e       [default: human] [possible values: human, json]\n    -p, --policy \u003cFILE\u003e                \n    -t, --source-type \u003cSOURCE_TYPE\u003e    [possible values: tsv, spdx-tag, spdx-json, spdx-yaml,\n                                       cyclone-dx-json, cyclone-dx-xml]\n```\n\nThe evaluate ARGS file is SBOM or tsv. SBOM supports `SPDX` or `CycloneDX`.\n\nYet another hatto supports tsv. This tsv file must contain header.\n\n**example `example.tsv`**\n\n```tsv\nname\tversion\tlicenses\tannotations\nfoo\t1.0.1\tMIT,Apache-2.0\tusage=service\nbar\t1.1.2\tUNKNOWN\t\n```\n\nThese files can generate with any license collection tool. If the license collection tool does not support SBOM, you shoud convert to tsv or SBOM.\n\nAnd you can configure `--policy` and `--curation`.\n\nThe `--policy` file defines license policy that written in python. The policy file must implements `def evaluate(material, result)`.\n\n**example `polocy.py`**\n\n```python\n#!/usr/bin/python\n\nallowed_licenses = [\n    \"Apache-2.0\",\n    \"BSD-3-Clause\",\n    \"MIT\",\n    \"Unlicense\",\n]\n\ndef evaluate(material, result):\n    for license in material.licenses:\n        if license not in allowed_licenses:\n           result.add_error(f\"{license} is not allowed\")\n```\n\n```sh\n$ hatto evaluate --policy policy.py example.tsv\nOK foo 1.0.1 licenses:[\"MIT\", \"Apache-2.0\"] annotations:{\"usage\": \"service\"}\nNG bar 1.1.2 licenses:[\"UNKNOWN\"] annotations:{}\n  ERROR UNKNOWN is not allowed\nFailure: evaluate failed\n```\n\n`UNKNOWN` is not allowed on `policy.py`. Therefore `hatto evaluate` is failed.\n\nYou may know `bar` true license is `BSD-3-Clause`. In such a case you can patch license information by `--curation` file. The curation file must implement `def curate_material(material)`.\n\n**example `curation.py`**\n\n```python\n#!/usr/bin/python\n\ndef curate_material(material):\n    if material.name == \"bar\":\n      material.licenses = [\"BSD-3-Clause\"]\n```\n\n```sh\n$ hatto evaluate --policy policy.py --curation curation.py example.tsv\nOK foo 1.0.1 licenses:[\"MIT\", \"Apache-2.0\"] annotations:{\"usage\": \"service\"}\nOK bar 1.1.2 licenses:[\"BSD-3-Clause\"] annotations:{}\n```\n\nThese allow hatto to perform flexible license policy evaluation on your teams or organizations.\n\n\n## Lisense\n\nLicensed under either of\n\n- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)\n- MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)\n\nat your option.\n\n## Contribution\n\nUnless you explicitly state otherwise, any contribution intentionally submitted\nfor inclusion in the work by you, as defined in the Apache-2.0 license, shall be\ndual licensed as above, without any additional terms or conditions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fheriet%2Fhatto","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fheriet%2Fhatto","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fheriet%2Fhatto/lists"}