https://github.com/philips-labs/bompare

Comparator tool for evaluation of the output from multiple bill-of-material analyzers
https://github.com/philips-labs/bompare

bill-of-materials blackduck bom comparator jk1 software-bill-of-materials tern whitesource

Last synced: about 2 months ago
JSON representation

Comparator tool for evaluation of the output from multiple bill-of-material analyzers

• Host: GitHub
• URL: https://github.com/philips-labs/bompare
• Owner: philips-labs
• License: mit
• Created: 2020-04-15T07:07:48.000Z (about 5 years ago)
• Default Branch: develop
• Last Pushed: 2021-10-18T07:27:32.000Z (over 3 years ago)
• Last Synced: 2025-04-30T06:07:35.635Z (about 2 months ago)
• Topics: bill-of-materials, blackduck, bom, comparator, jk1, software-bill-of-materials, tern, whitesource
• Language: Dart
• Size: 220 KB
• Stars: 8
• Watchers: 5
• Forks: 4
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Bompare, a tool to compare the Software Bill-of-Materials from multiple sources

## Usage

The `bompare` tool can be used to compare generated bill-of-materials files

to identify differences between sources. Comparison is either between the 

libraries identified by various sources, or on the licenses for the

libraries identified by all sources in the comparison. Outputs are CSV 

files with a column per source.

It currently reads:

- [x] (Internal) reference format (BOM only)

- [x] [WhiteSource](https://www.whitesourcesoftware.com) inventory JSON export format

- [x] [BlackDuck](https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html) report export ZIP and directory format

- [x] [SPDX](https://spdx.github.io/spdx-spec) tag-value format with [purl](https://github.com/package-url/purl-spec) package references

- [x] [JK1 Gradle license report](https://github.com/jk1/Gradle-License-Report) JSON format

- [x] [Tern](https://github.com/tern-tools/tern) JSON format

- [x] [Maven 3rd party license report](https://www.mojohaus.org/license-maven-plugin/add-third-party-mojo.html) TXT format

- [x] [NPM license-checker](https://www.npmjs.com/package/license-checker) CSV format

To allow license comparison, it automatically transforms official license titles 

to SPDX identifiers, and allows customized translations using an external CSV file.

The executable is a multi-platform command line executable with built-in usage help.

It should compile and run on OSX/Linux/Windows, but has been developed on OSX.

## Building the executable

1. Install Dart 2.12.0 (or newer) SDK according to the [instructions](https://dart.dev/get-dart).

E.g.:

    - OSX (Mac) using brew: `brew tap dart-lang/dart` and then `brew install dart`

    - Windows using [Chocolatey](https://chocolatey.org): `choco install dart-sdk`

    - With docker ` docker run -it --rm -v $(pwd):/work -w /work google/dart ./build.sh`

1. Globally install the coverage helper tooling: `dart pub global activate coverage`.

1. Globally install the flutter_coverage_badge: `dart pub global activate flutter_coverage_badge`.

1. Install "lcov" coverage visualization tooling.

1. Run `build.sh` to run all tests and build a native executable

   called `bompare`.

If the coverage tools are installed, the build results in an update of the

coverage badge and a [static web site](coverage/index.html) with coverage

details.