Skip to content

πŸ““ A python CLI tool to extract a software bill of materials and license info from a vcpkg manifest.

License

Notifications You must be signed in to change notification settings

moverseai/vcpkg-sbom

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

13 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ““ Software Bill-of-Materials for vcpkg manifests.

Python Version PyPI PyPI - Wheel PyPI - Status GitHub Release Date PyPI - Downloads

GitHub repo size PyPI - License Code style: black Black Format Discord


A python command line tool to extract a combined software bill of materials and license info from a vcpkg manifest.

Installation

🐍 PyPi

Open a command line and run:

pip install vcpkg-sbom

:octocat: Local

Downlaod the repo:

git clone https://github.com/moverseai/vcpkg-sbom vcpkg-sbom
cd vcpkg-sbom

From the repo's root path run:

pip install .

For an editable install run:

pip install -e .

⌨️ Usage

vcpkg-sbom PATH/TO/PROJECT/vcpkg_installed
ID Package
0 package name #1
1 package name #2
2 package name #3
... package name #N

Merging spdx: ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Extracting & merging copyrights ...
Merging copyrights: ━━━━━━━━━━━━━━━━━━ 0% -:--:--

Note

The output file is a SPDX-2.3 SPDXRef-DOCUMENT that merges all available *.spdx.json files from the manifest's installed packages.

Tip

The default triplet is x64-windows and is appended to the cmd line given path before searching for all installed packages.

Important

The output files (*.spdx.json, and optionally, *_license_info.json and *_EULA.txt) are written to the current working directory from where the command was executed.


πŸ”§ Command Line API

$ vcpkg-sbom --help
usage: A software bill of materials extracter and merger for `vcpkg` manifest projects.

positional arguments:
  vcpkg_root            Path to the `vcpkg_installed` folder of your manifest project.

options:
  -h, --help            show this help message and exit
  -t TRIPLET, --triplet TRIPLET
                        The `vcpkg` triplet to use.
  -p PROJECT, --project PROJECT
                        The project's name that will be used for the merged output files.
  -n NAMESPACE, --namespace NAMESPACE
                        The software's namespace to use for the `spdx` file.
  -o ORGANIZATION, --organization ORGANIZATION
                        The organization or company name to use for the `spdx` file.
  -e EMAIL, --email EMAIL
                        The email to use for the `spdx` file.
  -c, --copyright       Additionally extract and merge all copyright files in a `*.txt` file.
  -l, --license         Additionally extract and merge all license types in a `*.json` file.

Important

Default values:

  • triplet: x64-windows
  • project: project
  • namespace: https://spdx.org/spdxdocs/
  • organization: org
  • email: info@org.com
  • copyright: flag to enable copyright file merging
  • license: flag to enable license info merging

Tip

Info on how to choose a proper namespace can be found here

Acknowledgements / Material

Disclaimer / Limitations

Warning

As indicated at the vcpkg docs: The licensing information provided for each package in the vcpkg registry represents Microsoft's best understanding of the licensing requirements. However, this information may not be definitive. Users are advised to verify the exact licensing requirements for each package they intend to use, as it is ultimately their responsibility to ensure compliance with the applicable licenses.

While vcpkg offers a lot of information about licensing, this information should be scrutinized. Any tool that builds on top of this information provided by vcpkg is reliant on the legibility of the provided data, and should thus, be also scrutinized for correctness.