{"id":20801905,"url":"https://github.com/philips-software/bom-base","last_synced_at":"2025-05-07T00:44:49.519Z","repository":{"id":37977874,"uuid":"340401382","full_name":"philips-software/bom-base","owner":"philips-software","description":"Caching repository for bill-of-materials metadata","archived":false,"fork":false,"pushed_at":"2024-05-23T14:50:17.000Z","size":2967,"stargazers_count":6,"open_issues_count":18,"forks_count":7,"subscribers_count":1,"default_branch":"develop","last_synced_at":"2025-03-31T04:41:09.831Z","etag":null,"topics":["license-scanning-framework","sbom","software-bill-of-materials"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips-software.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null}},"created_at":"2021-02-19T14:55:13.000Z","updated_at":"2023-01-24T08:26:43.000Z","dependencies_parsed_at":"2023-02-12T21:30:39.729Z","dependency_job_id":null,"html_url":"https://github.com/philips-software/bom-base","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-base","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-base/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-base/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fbom-base/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips-software","download_url":"https://codeload.github.com/philips-software/bom-base/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252793562,"owners_count":21805053,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["license-scanning-framework","sbom","software-bill-of-materials"],"created_at":"2024-11-17T18:25:28.939Z","updated_at":"2025-05-07T00:44:49.512Z","avatar_url":"https://github.com/philips-software.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# BOM-Base\n\n[![Release](https://img.shields.io/github/release/philips-software/bom-base.svg)](https://github.com/philips-software/bom-base/releases)\n\n**Description**: BOM-Base is an _experimental_ caching repository for\nbill-of-materials metadata\n\n**Status**: Experimental research prototype\n\n_Powered by Philips SWAT Eindhoven_\n\n\u003c/div\u003e\n\nWhile producing a bill-of-materials, a private metadata cache is desirable to\naugment the publicly available metadata with local curations and store metadata\nfor packages that are not publicly released.\n\nThe service consists of a metadata store with \"harvesters\" to collect metadata.\nThe unavailability and modification of metadata automatically triggers\nharvesters to fill the cache.\n\nThe harvesting mechanism starts from a client requesting metadata for a specific\npackage. If the package is unknown, one or more harvesters start collecting\nmetadata from external sources. The harvester for the relevant package\nmanagement repository obtains the basic package metadata, and another harvester\nmight additionally pull various curated fields for the same package\nfrom [ClearlyDefined](https://clearlydefined.io). A scoring mechanism ensures\nthe most reliable metadata is kept. The availability of a source code location\n(and no scanned license) could trigger the license scanning harvester to\ndownload and scan the source code for licenses and other copyright information.\nIf the scanned license does not match the license declared in the originating\nrepository, it can be contested by a harvester that checks consistency between\nthe \"declared\" and \"detected\" license fields. When a client later requests the\nsame package, it receives the latest updated metadata.\n\nThe user interface allows human inspection and curation of the metadata. A\nmanual change of such metadata can in turn trigger other processes to complete\nadditional fields.\n\n(See the [architecture document](docs/architecture.md) for a detailed technical\ndescription.)\n\n## Dependencies\n\nThe service requires at least Java 11.\n\n## Installation\n\n### Build the executable JAR\n\nThe Flutter web user interface should be first built through the `install_ui`\nscript in the `/ui` directory. (This script checks and builds the web\napplication and installs it into the `/src/main/resources/static` directory of\nthe backend.)\n\nNext, the backend can be built through the Maven `mvn clean install` command,\nand yields a \"fat\" executable jar containing all dependencies.\n\nThe backend server starts as a standard Java executable:\n\n```\njava -jar BOM-base-\u003cversion\u003e.jar\n```\n\nSome useful command line parameters are:\n\n- `--server.port=9090` changes the http port (from default 8080) to 9090.\n- `--bom-base.scan-licenses=false` disables the source code license scanner,\n  reducing the machine load during development and testing.\n- `--bom-base.harvest-clearly-defined=false` disables the clearly-defined lookup\n\n### Install ScanCode Toolkit license scanner\n\nScanning licenses from source files is delegated\nto [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit).\n\nFollow any of\nthese [installation instructions](https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html)\nto install the command line application.\n\nThen make sure the `scancode` and `extractcode` commands are accessible from any\ndirectory by updating the path or creating symbolic links in an appropriate\nlocation.\n\n### Docker\n\nAfter building the project, you can build and run the application using Docker.\n\nBuild docker image:\n\n```bash\ndocker build -f docker/Dockerfile -t bom-base .\n```\n\nRun docker container:\n\n```\ndocker run -p 8080:8080 bom-base\n```\n\n### Image from docker hub\n\nThe latest released version is also available from Docker Hub:\n\n```\ndocker run -p 8080:8080 philipssoftware/bom-base:latest\n```\n\n## Configuration\n\n(Empty)\n\n## Usage\n\nThe service exposes a REST API and a user interface on port 8080.\n\nProper operation can be checked by e.g.:\n\n```sh\ncurl http://localhost:8080/packages/pkg%253Anpm%252Fmarked%25400.7.0 | jq\n```\n\nHarvesters will then start collecting the metadata for\nthe `pkg:npm/marked@0.7.0`\npackage if its metadata was not yet available. Else it returns the existing\nmetadata for the package.\n\n## How to test the software\n\nUnit tests for this Maven are run by the `mvn clean test` command.\n\nNote that ScanCode Toolkit must be installed for all tests to pass. (See\ninstallation instructions)\n\n## Known issues\n\n(BOM-Base is still under development.)\n\n## Disclaimer\n\nBOM-Base is an _experimental_ tool, and not suited for production.\n\n## Contact / Getting help\n\nSubmit an issue in the issue tracker of this project.\n\n## License\n\nSee [LICENSE.md](LICENSE.md).\n\n## Credits and references\n\n- BOM-Base relies for scanning of license information from source code\n  on [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit).\n- Many thanks go out to the nice people\n  at [OSS Review Toolkit](https://github.com/oss-review-toolkit/ort) for their\n  work and being an inspiration to try a different approach for managing\n  bill-of-materials metadata.\n- If you are looking for tools to build a bill-of-materials, you might want to\n  have a look at\n  the [SPDX-Builder](https://github.com/philips-software/spdx-builder) project\n  that can (among various other solutions) use BOM-Base metadata to build rich\n  bill-of-materials documents in the SPDX format.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fbom-base","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips-software%2Fbom-base","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fbom-base/lists"}