{"id":20801904,"url":"https://github.com/philips-software/bom-bar","last_synced_at":"2025-05-07T00:44:41.920Z","repository":{"id":36955401,"uuid":"295734354","full_name":"philips-software/bom-bar","owner":"philips-software","description":"Experimental web service for checking the software bill-of-materials (\"SBOM\") for projects against license violations.","archived":false,"fork":false,"pushed_at":"2023-08-07T09:01:25.000Z","size":11052,"stargazers_count":8,"open_issues_count":6,"forks_count":3,"subscribers_count":1,"default_branch":"develop","last_synced_at":"2025-03-31T04:41:09.341Z","etag":null,"topics":["license-scanning-framework","sbom","software-bill-of-materials"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips-software.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null}},"created_at":"2020-09-15T13:19:15.000Z","updated_at":"2022-12-14T23:24:52.000Z","dependencies_parsed_at":"2023-02-12T21:46:12.654Z","dependency_job_id":null,"html_url":"https://github.com/philips-software/bom-bar","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-bar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-bar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-bar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-bar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips-software","download_url":"https://codeload.github.com/philips-software/bom-bar/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252793562,"owners_count":21805053,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["license-scanning-framework","sbom","software-bill-of-materials"],"created_at":"2024-11-17T18:25:28.575Z","updated_at":"2025-05-07T00:44:41.907Z","avatar_url":"https://github.com/philips-software.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# BOM-Bar\n\n[![Release](https://img.shields.io/github/release/philips-software/bom-bar.svg)](https://github.com/philips-software/bom-bar/releases)\n\n**Description**:  BOM-Bar is an _experimental_ bill-of-materials aggregator\nand (license compatibility) policy validation service.\n\n\u003c/div\u003e\n\nBy uploading the latest bill-of-materials from every CI build, the BOM-Bar\nservice can keep an inventory of all packages in use within an organization and\nprovide feedback to the development team on potential (license) policy\nviolations.\n\nLicense compatibility detection takes individual package licenses, the target\ndistribution and package relations into account. Violations can be manually\noverridden after investigation for packages that provide\na [package URL](https://github.com/package-url/purl-spec). (The Package URL is\nused as identifier to track such exemptions across bill-of-materials uploads.)\n\nPackage URLs also provide insights into the use of versions of packages, and the\nre-use of packages across projects.\n\nBill-of-materials files are uploaded as SPDX tag-value files, where\nrelationships from the document are used to build the typed hierarchy of\npackages. This information is used to separate deliverable from development\npackages, and identify any originating project for a package version.\n\n(See the [architecture document](docs/architecture.md) for a detailed technical\ndescription.)\n\n## Dependencies\n\nThe service requires at least Java 11.\n\n## Installation\n\nThe Flutter web user interface is built by the `install_ui` script from\nthe `/ui` directory. This script builds the web application and installs it into\nthe `/src/main/resources/static` directory of the backend.\n\nThe Java backend software is built by the standard Maven `mvn clean install`\ncommand.\n\nThe server is started as a standard Java executable\nusing `java -jar \u003capplication-name\u003e.jar`.\n\n## Configuration\n\n(Empty)\n\n## Usage\n\n### Web interface\n\nAfter starting up, the service exposes on port 8080 (=default):\n\n* A user interface to browse projects for detected policy violations and\n  packages and grant exemptions.\n* An API to upload SPDX software bill-of-materials documents in tag-value format\n  by a POST request to `/projects/\u003cproject_uuid\u003e/upload`.\n* A (basic) and insecure database management tool on url `/h2`. with default\n  credentials \"user\" and \"password\".\n\n### Solving database migration issues\n\nIf migration of the database fails, a stand-alone database server can be started\nfrom the command line on Linux or Mac using:\n\n    java -jar ~/.m2/repository/com/h2database/h2/\u003cversion\u003e/h2-\u003cversion\u003e.jar\n\n(Failed migrations can be manually corrected or removed in the\n\"flyway_schema_history\" table.)\n\n### Docker\n\nAfter building the project, you can also run the application with Docker.\n\nBuild docker image:\n\n```bash\ndocker build -f docker/Dockerfile -t bom-bar .\n```\n\nRun application:\n\n```\ndocker run -p 8080:8080 bom-bar\n```\n\n### Image from docker hub\n\nRun application:\n\n```\ndocker run -p 8080:8080 philipssoftware/bom-bar:latest\n```\n\n## How to test the software\n\nJava unit tests are executed by the Maven `mvn clean test` command.\n\nFlutter unit tests are executed by the Flutter `flutter test` command from\nthe `/ui` directory.\n\n## Known issues\n\nThe software is not suited for production use.\n\nThese are the most important topics that need to be addressed:\n(A marked checkbox means the topic is in progress.)\n\n- [ ] Import license obligations from\n  e.g. [OSADL](https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html)\n\nFuture ideas:\n\n- [ ] Derive key technologies of projects from packages used\n- [ ] Track security vulnerabilities.\n\n## Disclaimer\n\nBOM-Bar is an _experimental_ tool and not a substitute for human review of each\ndependency for licensing or any other issues. It is not the goal of BOM-Bar to\nprovide legal advice about licensing or any other issues. If you have any\nquestions regarding licensing compliance for your code or any other legal issues\nrelating to it, it’s up to you to do further research or consult with a\nprofessional.\n\n## Contact / Getting help\n\nSubmit an issue in the issue tracker of this project.\n\n## License\n\nSee [LICENSE.md](LICENSE.md).\n\n## Credits and references\n\n- [The Software Package Data Exchange (SPDX®) Specification Version 2.2](https://spdx.github.io/spdx-spec/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fbom-bar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips-software%2Fbom-bar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fbom-bar/lists"}