Setup OSS Review Toolkit SBoM generation #14241
Conversation
Theoretically Elixir depends on Make (build-time only) and Erlang, but those are done through the system. Does SBOM make a distinction between build and runtime deps? What about system vs actual deps?
What are mix/rebar applications here? And does it impact this repo in any way, given we don't depend on any of those? Regarding licenses and copyrights, agreed. Let's do that next. :) |
| @@ -0,0 +1 @@ | |||
| For terms of use and license, see https://elixir-lang.org/trademarks | |||
There was a problem hiding this comment.
This license could be added to the scancode licensedb for future detection :)
An example of where to submit follows :)
https://github.com/aboutcode-org/scancode-licensedb/blob/main/docs/adaptec-downloadable.json
There was a problem hiding this comment.
By chance I'm standing next to a maintainer from the ScanCode team at a CRA Workshop of the Eclipse Foundation. Apparently the right way is to just open a GitHub issue on the LicenseDB.
I'll look into that.
There was a problem hiding this comment.
Let me know once we are ready to go forward then!
The only thing that this claims is the source Software Bill of Materials (SBOM), so the files that exist in this repo. |
That depends heavily between standards and their versions. I'll have a closer look at that once we add build information to the SBoMs.
Elixir contains multiple "components" like elixir, mix, eex, etc. It would be good if the tooling recognized those distinctly. |
maennchen
force-pushed
the
jm/oss-review-toolkit
branch
from
69afc0a to
f8b859d
Compare
@kikofernandez is Erlang being broken into multiple components as well or a single one? I am not sure for Elixir if it makes sense to break them apart. They are always shipped together anyway. Might as well consider as a single entity? |
At the moment, we are going to create a single package for the source SBOM, which will contain all of OTP. |
|
If I may, I would suggest that Elixir starts to annotate all files with a license and possibly copyright identifier. I create a REUSE PR (PR-1117) that allows to add easily licenses to Erlang, Elixir, and Gleam |
|
@kikofernandez we plan to do that in a future PR :) @maennchen let's focus on shipping Elixir as a single unit for the foreseeable future as well! |
Implement Source SBoM Generation
Scope
This PR implements source SBoM generation using OSS Review Toolkit
in the following formats:
The PR implements a very simple Open Source Policy with a list of allowed licenses. Namely:
Apache-2.0(Elixir itself / copied OTP code)LicenseRef-elixir-trademark-policy(Elixir Logo)LicenseRef-scancode-unicode(Unicode Files)The idea is that if we add other code / dependencies with other licenses, the inclusion has to be
agreed by the Elixir team and the list extended.
OpenChain
This PR implements the technical parts of OpenChain ISO/IEC 18974:2023.
Specifically:
Future
There's a few things I would like to address in the future:
be relatively trivial to achieve OpenChain compliance after this PR. I'd like to
propose the required documentation and certify compliance. (btw. Ericsson including
OTP is OpenChain compliant and on the way to be certified as well.)
the distribution assets. This is not feasible until ORT recognizes mix applications.
SBoMs themselves, I'd like to incorporate that.
.ort.yml. It would bebetter to include a header in each file to state the license explicitly. This also
works when code is copied from this repository.
LICENSEin theroot. It would be better to include a header in each file to state the copyright explicitly.
This also works when code is copied from this repository.
Results
ci.ymlrun: https://github.com/maennchen/elixir/actions/runs/13029706072release.ymlrun: https://github.com/maennchen/elixir/actions/runs/13029706053