Compliance Assistant is a comprehensive toolset designed to assist with creating and managing Software Bill of Materials (SBOMs). It helps in enriching SBOMs with licensing and copyright information and checks for Open Source license compliance using data from ClearlyDefined.
- SBOM Generation: Automatically generate a CycloneDX SBOM from a specified code repository.
- SBOM Enrichment: Enhance an existing SBOM with detailed licensing and copyright information using ClearlyDefined data.
- SBOM Parsing: Extract specific information from a CycloneDX SBOM.
- License and Copyright Information Retrieval: Fetch licensing and copyright details for a single package from ClearlyDefined.
- License compliance support: Extract and unify licenses from SBOM, suggest possible license outbound candidates
Some of these features are made possible by excellent programs such as flict, cdxgen and syft.
- Python 3.10+
- Internet connection for accessing ClearlyDefined services
- At least one SBOM generator:
pipx makes installing and running Python programs easier and avoids conflicts with other packages. Install it with
pip3 install pipx
The following one-liner both installs and runs this program from PyPI:
pipx run compliance-assistant
If you want to be able to use compliance-assistant without prepending it with pipx run
every time, install it globally like so:
pipx install compliance-assistant
compliance-assistant will then be available in ~/.local/bin
, which must be added to your $PATH
.
After this, make sure that ~/.local/bin
is in your $PATH
. On Windows, the required path for your environment may look like %USERPROFILE%\AppData\Roaming\Python\Python310\Scripts
, depending on the Python version you have installed.
To upgrade compliance-assistant to the newest available version, run this command:
pipx upgrade compliance-assistant
You may also use pure pip
or poetry
to install this package.
The Compliance Assistant provides multiple commands to facilitate different tasks. Each command is invoked through the compliance-assistant
command-line interface with specific options.
Depending on your exact installation method, this may be one of
# Run via pipx
pipx run compliance-assistant
# Installation via pipx or pip
compliance-assistant
# Run via poetry
poetry run compliance-assistant
In the following, we will just use compliance-assistant
.
compliance-assistant <command> [<subcommand>] [subcommand-options]
Please run compliance-assistant --help
to get an overview of the commands and global options.
For each command, you can get detailed options, e.g., compliance-assistant sbom enrich --help
.
- Create an SBOM for the current directory using syft:
compliance-assistant sbom generate -g syft -d . -o /tmp/my-sbom.json
- Enrich an SBOM with ClearlyDefined data:
compliance-assistant sbom enrich -f /tmp/my-sbom.json -o /tmp/my-enriched-sbom.json
- Extract certain data from an SBOM:
compliance-assistant sbom parse -f /tmp/my-enriched-sbom.json -e purl,copyright,name
- Gather ClearlyDefined licensing/copyright information for one package:
compliance-assistant clearlydefined fetch -p pkg:pypi/[email protected]
- Get all licenses found in the enriched SBOM:
compliance-assistant licensing list -f /tmp/my-enriched-sbom.json -o plain
- Get license outbound candidate based on licenses from SBOM:
compliance-assistant licensing outbound -f /tmp/my-enriched-sbom.json
You may also use GitHub workflows to generate an SBOM regularly, e.g., on each published release:
name: Generate and enrich SBOM
on:
release:
types: [published]
jobs:
# Generate the SBOM with syft and enrich the generated SBOM
sbom-generate-and-enrich:
runs-on: ubuntu-22.04
needs: sbom-gen
steps:
# Install compliance-assistant
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
- name: Install compliance-assistant
run: pip install compliance-assistant
# Install syft
- run: mkdir -p ~/.local/bin
- name: Install syft
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/.local/bin
# Generate SBOM with syft via compliance-assistant
- name: Generate SBOM with syft
run: poetry run compliance-assistant sbom generate -g syft -d . -o ${{ runner.temp }}/sbom-raw.json
# Enrich SBOM with compliance-assistant
- name: Enrich SBOM
run: compliance-assistant sbom enrich -f ${{ runner.temp }}/sbom-raw.json -o ${{ runner.temp }}/sbom-enriched.json
# Upload enriched SBOM as artifact
- name: Store enriched SBOM as artifact
uses: actions/upload-artifact@v4
with:
name: sbom-enriched
path: ${{ runner.temp }}/sbom-enriched.json
We welcome contributions to improve Compliance Assistant. Please read CONTRIBUTING.md for all information.
The content of this repository is licensed under the Apache 2.0 license.
There may be components under different, but compatible licenses or from different copyright holders. The project is REUSE compliant which makes these portions transparent. You will find all used licenses in the LICENSES directory.
The project has been started by the OpenRail Association. You are welcome to contribute!