{"id":20801927,"url":"https://github.com/philips-software/spdx-builder","last_synced_at":"2025-05-07T00:45:51.241Z","repository":{"id":37070002,"uuid":"280070262","full_name":"philips-software/spdx-builder","owner":"philips-software","description":"Generates SPDX bill-of-material files from a package input and license scan","archived":false,"fork":false,"pushed_at":"2024-04-15T06:37:31.000Z","size":1195,"stargazers_count":13,"open_issues_count":14,"forks_count":6,"subscribers_count":1,"default_branch":"develop","last_synced_at":"2025-03-31T04:41:11.751Z","etag":null,"topics":["bom","hacktoberfest","license-scanning-framework","software-bill-of-materials"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips-software.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-07-16T06:14:32.000Z","updated_at":"2025-03-20T22:46:14.000Z","dependencies_parsed_at":"2023-11-06T09:46:16.071Z","dependency_job_id":"a3e0de73-28b3-488a-adc0-10ea5805a850","html_url":"https://github.com/philips-software/spdx-builder","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fspdx-builder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fspdx-builder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fspdx-builder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fspdx-builder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips-software","download_url":"https://codeload.github.com/philips-software/spdx-builder/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252793564,"owners_count":21805054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bom","hacktoberfest","license-scanning-framework","software-bill-of-materials"],"created_at":"2024-11-17T18:26:11.640Z","updated_at":"2025-05-07T00:45:51.235Z","avatar_url":"https://github.com/philips-software.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# SPDX-Builder\n\n[![Release](https://img.shields.io/github/release/philips-software/spdx-builder.svg)](https://github.com/philips-software/spdx-builder/releases)\n\nCI/CD tool to generate Bill-of-Materials reports in SPDX format.\n\u003e **Status**: Experimental research prototype\n\n\u003c/div\u003e\n\n## Contents\n\n- [Description](#Description)\n- [Installation](#installation)\n- [Usage](#usage)\n- [How to test the software](#how-to-test-the-software)\n- [Known issues](#known-issues)\n- [Contact / Getting help](#contact--getting-help)\n- [License](#license)\n- [Credits and references](#credits-and-references)\n\n## Description\n\nConverts project dependencies into a standard\n[SPDX](https://spdx.github.io/spdx-spec) tag-value Software Bill-of-Materials\nfile, optionally integrating externally collected and curated license details.\n\nA Bill-of-Materials can be generated from various types of inputs:\n\n1. From the output of\n   the [OSS Review Toolkit](https://github.com/oss-review-toolkit/ort) (ORT)\n   Analyzer tool, optionally in combination with scanned licences provided by\n   [License Scanning Service](https://github.com/philips-software/license-scanner)\n   or the [BOM-Base](https://github.com/philips-software/bom-base) metadata\n   harvesting service. (See [ORT mode usage](docs/usage_with_ort.md))\n\n2. From the REST API of\n   a [Synoptic Black Duck](https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html)\n   SCA server. (See [Black Duck mode usage](docs/usage_with_black_duck.md))\n\n3. From the \"tree\" output of many build environments, in combination with\n   metadata from a [BOM-Base](https://github.com/philips-software/bom-base)\n   metadata harvesting service. (See [Tree mode usage](docs/usage_with_tree.md))\n\n## Installation\n\nBuild the application using the standard gradle command:\n\n```shell\n./gradlew clean install\n```\n\nThen make the resulting files from the `build/install/spdx-builder/bin`\navailable in the path.\n\nAlternatively the application can be run directly from Gradle:\n\n```shell\n./gradlew run --args=\"ort -c .spdx-builder.yml \u003ccommand\u003e \u003cparameters\u003e\"\n```\n\n## Usage\n\nThe commandline application has usage instructions built-in\n\n```shell\nspdx-builder --help\n```\n\nSeparate usage details are found per mode for: [ort mode](docs/usage_with_ort.md)\n,[blackduck mode](docs/usage_with_black_duck.md),\nand [tree mode](docs/usage_with_tree.md).\n\n_NOTE: This application requires Java 11 or higher._\n\n### Uploading the resulting SPDX file\n\nIt is possible to automatically upload the generated SDPX file to a server. This\nwill POST the SPDX file using a multi-part file upload in the `file` parameter .\n\nTo upload the extracted bill-of-materials from an ORT file\nto [BOM-bar](https://github.com/philips-software/bom-bar), the invocation\nbecomes:\n\n```shell\nspdx-builder ort -c \u003cconfig_yaml_file\u003e -upload=https://\u003cserver\u003e:8080/projects/\u003cuuid\u003e/upload \u003cort_yaml_file\u003e\n```\n\n### GitHub actions\n\nYou can use the SPDX-builder in a GitHub Action. This can be found on\n\u003chttps://github.com/philips-software/spdx-action\u003e. The Action performs an ORT\nscan, pushes the data to SPDX-builder and can use a self-hosted license scanner\nservice and upload service like BOM-Bar. \n\n## How to test the software\n\nThe unit test suite is run via the standard Gradle command:\n\n```shell\n./gradlew clean test\n```\n\nA local ORT-based self-test (if ORT is installed locally) can be run by:\n\n```shell\n./gradlew run --args=\"ort -c src/test/resources/.spdx-builder.yml src/test/resources/ort_sample.yml\"\n```\n\n## Known issues\n\n(Ticked checkboxes indicate topics currently under development.)\n\nMust-have:\n\n- [ ] Abort if ORT Analyzer raised errors.\n- [ ] Support the new (more compact) ORT tree structure. (Currently breaks Gradle projects.)\n- [ ] Add hashes of build results (where possible).\n- [ ] (Optionally) Add source artefacts as \"GENERATED_FROM\" relationship.\n\nShould-have:\n\n- [ ] Treat internal (=non-OSS) packages differently for output SBOM.\n- [ ] Support output \"flavors\" for the purpose of the generated SBOM.\n\nOther ideas:\n\n- [ ] Integration with [Quartermaster (QMSTR)](https://qmstr.org/).\n\n## Contact / Getting help\n\nSubmit tickets to\nthe [issue tracker](https://github.com/philips-software/spdx-builder/issues).\n\nSee the [architecture document](docs/architecture.md) for a detailed technical\ndescription.\n\n## License\n\nSee [LICENSE.md](LICENSE.md).\n\n## Credits and references\n\n1. [The SPDX Specification](https://spdx.github.io/spdx-spec) documents the SPDX\n   file standard.\n2. [The ORT Project](https://github.com/oss-review-toolkit) provides a toolset\n   for generating and analyzing various aspects of the Bill-of-Materials.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fspdx-builder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips-software%2Fspdx-builder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fspdx-builder/lists"}