Skip to main content

Toolset that helps with creating and interacting with SBOMs, enriching with licensing and copyright information, and checking for Open Source license compliance

Project description

Compliance Assistant

Test suites REUSE status The latest version of Compliance Assistant can be found on PyPI. Information on what versions of Python Compliance Assistant supports can be found on PyPI.

Compliance Assistant is a comprehensive toolset designed to assist with creating and managing Software Bill of Materials (SBOMs). It helps in enriching SBOMs with licensing and copyright information and checks for Open Source license compliance using data from ClearlyDefined.

Features

  • SBOM Generation: Automatically generate a CycloneDX SBOM from a specified code repository.
  • SBOM Enrichment: Enhance an existing SBOM with detailed licensing and copyright information using ClearlyDefined data.
  • SBOM Parsing: Extract specific information from a CycloneDX SBOM.
  • License and Copyright Information Retrieval: Fetch licensing and copyright details for a single package from ClearlyDefined.
  • License compliance support: Extract and unify licenses from SBOM, suggest possible license outbound candidates

Some of these features are made possible by excellent programs such as flict and cdxgen.

Requirements

  • Python 3.10+
  • Internet connection for accessing ClearlyDefined services
  • Docker for generating SBOMs

Installation

Install and run via pipx (Recommended)

pipx makes installing and running Python programs easier and avoid conflicts with other packages. Install it with

pip3 install pipx

The following one-liner both installs and runs this program from PyPI:

pipx run compliance-assistant

If you want to be able to use compliance-assistant without prepending it with pipx run every time, install it globally like so:

pipx install compliance-assistant

compliance-assistant will then be available in ~/.local/bin, which must be added to your $PATH.

After this, make sure that ~/.local/bin is in your $PATH. On Windows, the required path for your environment may look like %USERPROFILE%\AppData\Roaming\Python\Python310\Scripts, depending on the Python version you have installed.

To upgrade compliance-assistant to the newest available version, run this command:

pipx upgrade compliance-assistant

Other installation methods

You may also use pure pip or poetry to install this package.

Usage

The Compliance Assistant provides multiple commands to facilitate different tasks. Each command is invoked through the compliance-assistant command-line interface with specific options.

Depending on your exact installation method, this may be one of

# Run via pipx
pipx run compliance-assistant
# Installation via pipx or pip
compliance-assistant
# Run via poetry
poetry run compliance-assistant

In the following, we will just use compliance-assistant.

Command Structure

compliance-assistant <command> [<subcommand>] [subcommand-options]

Commands

Please run compliance-assistant --help to get an overview of the commands and global options.

For each command, you can get detailed options, e.g. compliance-assistant sbom enrich --help.

Examples

  • Create an SBOM for the current directory: compliance-assistant sbom generate -d .
  • Enrich an SBOM with ClearlyDefined data: compliance-assistant sbom enrich -f /tmp/my-sbom.json -o /tmp/my-enriched-sbom.json
  • Extract certain data from an SBOM: compliance-assistant sbom parse -f /tmp/my-enriched-sbom.json -e purl,copyright,name
  • Gather ClearlyDefined licensing/copyright information for one package: compliance-assistant clearlydefined fetch -p pkg:pypi/inwx-dns-recordmaster@0.3.1
  • Get license outbound candidate based on licenses from SBOM: compliance-assistant licensing outbound -f /tmp/my-enriched-sbom.json

Run as GitHub workflow

You may also use GitHub workflows to generate an SBOM regularly, e.g. on each published release:

name: Generate and enrich SBOM

on:
  release:
    types: [published]

jobs:
  # Generate raw SBOM using cdxgen, but with NPMJS package, not Docker container
  sbom-gen:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Install cdxgen
        run: npm install -g @cyclonedx/cdxgen
      - name: Generate CycloneDX SBOM with cdxgen
        run: cdxgen -r . -o ${{ runner.temp }}/sbom-raw.json
      - name: Store raw SBOM as artifact
        uses: actions/upload-artifact@v4
        with:
          name: sbom-raw
          path: ${{ runner.temp }}/sbom-raw.json

  # Enrich the generated SBOM
  sbom-enrich:
    runs-on: ubuntu-22.04
    needs: sbom-gen
    steps:
      # Install compliance-assistant
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - name: Install compliance-assistant
        run: pip install compliance-assistant
      # Download raw SBOM
      - uses: actions/download-artifact@v4
        with:
          name: sbom-raw
          path: ${{ runner.temp }}
      # Run compliance-assistant sbom-enrich
      - name: Enrich SBOM
        run: compliance-assistant sbom enrich -f ${{ runner.temp }}/sbom-raw.json -o ${{ runner.temp }}/sbom-enriched.json
      # Upload enriched SBOM as artifact
      - name: Store enriched SBOM as artifact
        uses: actions/upload-artifact@v4
        with:
          name: sbom-enriched
          path: ${{ runner.temp }}/sbom-enriched.json

Development and Contribution

We welcome contributions to improve Compliance Assistant. Please read CONTRIBUTING.md for all information.

License

The content of this repository is licensed under the Apache 2.0 license.

There may be components under different, but compatible licenses or from different copyright holders. The project is REUSE compliant which makes these portions transparent. You will find all used licenses in the LICENSES directory.

The project is has been started by the OpenRail Association. You are welcome to contribute!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

compliance_assistant-0.3.0.tar.gz (28.6 kB view details)

Uploaded Source

Built Distribution

compliance_assistant-0.3.0-py3-none-any.whl (36.1 kB view details)

Uploaded Python 3

File details

Details for the file compliance_assistant-0.3.0.tar.gz.

File metadata

  • Download URL: compliance_assistant-0.3.0.tar.gz
  • Upload date:
  • Size: 28.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.3 CPython/3.12.1 Linux/6.5.0-1025-azure

File hashes

Hashes for compliance_assistant-0.3.0.tar.gz
Algorithm Hash digest
SHA256 b749ca2a67206202cbed1d2705793290de3c7f38b7b87c1cba93d6e347d2c2d7
MD5 3bcf2f58ed1f89148109fa4fd9f10a08
BLAKE2b-256 45901ccd08ea2f7107647f6a2df98d3eb9b7f44cb79e37615c73ac5e45e9f90a

See more details on using hashes here.

File details

Details for the file compliance_assistant-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for compliance_assistant-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e323f3882f1f79d33721a7718f1114f40abe5e3e5dc96b9a3ab757159145166e
MD5 92a021d183167d4461775741cbac4874
BLAKE2b-256 d9996866f3c9b7c65d4711c821f6d5ea895505e8d881c192ef7aa373f2bd8588

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page