This repository contains a set of rules and tools for
- declaring metadata about packages, such as
- the licenses the package is available under
- the canonical package name and version
- copyright information
- ... and more TBD in the future
- gathering license declarations into artifacts to ship with code
- applying organization specific compliance constriants against the set of packages used by a target.
- producing SBOMs for built artifacts.
WARNING: The code here is still in active initial development and will churn a lot.
If you want to follow along:
- Mailing list: bazel-ssc@bazel.build
- Monthly eng meeting: calendar link
- Latest docs
Last update: October 22, 2023
- Reference implementation for "packages used" tool
- produce JSON output usable for SBOM generation or other compliance reporting.
- Reference implementation for an SPDX SBOMM generator
- Support for reading bzlmod lock file
- Support for reading maven lock file
- "How To" guides
- produce a license audit
- produce an SBOM
- Add support for other package manager lock file formats
- ? Python
- Golang
- NodeJS
- More SPDX SBOM fields
- support for including vendor SBOMs
-
Performance improvements
-
Sub-SBOMs for tools
-
TBD
These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.