A python command line tool to extract a combined software bill of materials and license info from a vcpkg manifest.
π PyPi
Open a command line and run:
pip install vcpkg-sbom
Downlaod the repo:
git clone https://github.com/moverseai/vcpkg-sbom vcpkg-sbom
cd vcpkg-sbom
From the repo's root path run:
pip install .
For an editable install run:
pip install -e .
vcpkg-sbom PATH/TO/PROJECT/vcpkg_installed
ID | Package |
---|---|
0 | package name #1 |
1 | package name #2 |
2 | package name #3 |
... | package name #N |
Merging spdx: ββββββββββββββββββ 100% 0:00:00
Extracting & merging copyrights ...
Merging copyrights: ββββββββββββββββββ 0% -:--:--
Note
The output file is a SPDX-2.3
SPDXRef-DOCUMENT
that merges all available *.spdx.json
files from the manifest's installed packages.
Tip
The default triplet
is x64-windows
and is appended to the cmd line given path before searching for all installed packages.
Important
The output files (*.spdx.json
, and optionally, *_license_info.json
and *_EULA.txt
) are written to the current working directory from where the command was executed.
$ vcpkg-sbom --help
usage: A software bill of materials extracter and merger for `vcpkg` manifest projects.
positional arguments:
vcpkg_root Path to the `vcpkg_installed` folder of your manifest project.
options:
-h, --help show this help message and exit
-t TRIPLET, --triplet TRIPLET
The `vcpkg` triplet to use.
-p PROJECT, --project PROJECT
The project's name that will be used for the merged output files.
-n NAMESPACE, --namespace NAMESPACE
The software's namespace to use for the `spdx` file.
-o ORGANIZATION, --organization ORGANIZATION
The organization or company name to use for the `spdx` file.
-e EMAIL, --email EMAIL
The email to use for the `spdx` file.
-c, --copyright Additionally extract and merge all copyright files in a `*.txt` file.
-l, --license Additionally extract and merge all license types in a `*.json` file.
Important
Default values:
triplet
: x64-windowsproject
: projectnamespace
: https://spdx.org/spdxdocs/organization
: orgemail
: info@org.comcopyright
: flag to enable copyright file merginglicense
: flag to enable license info merging
Tip
Info on how to choose a proper namespace can be found here
- vcpkg` spdx info and discussion @ Microsoft docs
- The merging code was adapted from https://github.com/philips-software/SPDXMerge
- The
jq
script here is a nice alternative - licensecpp is another approach starting from the
vcpkg
manifest.json file. - spdx docs
Warning
As indicated at the vcpkg
docs:
The licensing information provided for each package in the vcpkg registry represents Microsoft's best understanding of the licensing requirements. However, this information may not be definitive. Users are advised to verify the exact licensing requirements for each package they intend to use, as it is ultimately their responsibility to ensure compliance with the applicable licenses.
While vcpkg
offers a lot of information about licensing, this information should be scrutinized. Any tool that builds on top of this information provided by vcpkg
is reliant on the legibility of the provided data, and should thus, be also scrutinized for correctness.