<!--
SPDX-FileCopyrightText: 2024 DB Systel GmbH
SPDX-License-Identifier: Apache-2.0
-->
# Compliance Assistant
[](https://github.com/OpenRailAssociation/compliance-assistant/actions/workflows/test.yaml)
[](https://api.reuse.software/info/github.com/OpenRailAssociation/compliance-assistant)
[](https://pypi.org/project/compliance-assistant/)
[](https://pypi.org/project/compliance-assistant/)
**Compliance Assistant** is a comprehensive toolset designed to assist with creating and managing Software Bill of Materials (SBOMs). It helps in enriching SBOMs with licensing and copyright information and checks for Open Source license compliance using data from [ClearlyDefined](https://clearlydefined.io/).
<!-- TOC -->
- [Compliance Assistant](#compliance-assistant)
- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Development and Contribution](#development-and-contribution)
- [License](#license)
<!-- /TOC -->
## Features
- **SBOM Generation**: Automatically generate a CycloneDX SBOM from a specified code repository.
- **SBOM Enrichment**: Enhance an existing SBOM with detailed licensing and copyright information using ClearlyDefined data.
- **SBOM Parsing**: Extract specific information from a CycloneDX SBOM.
- **License and Copyright Information Retrieval**: Fetch licensing and copyright details for a single package from ClearlyDefined.
- **License compliance support**: Extract and unify licenses from SBOM, suggest possible license outbound candidates
Some of these features are made possible by excellent programs such as [flict](https://github.com/vinland-technology/flict), [cdxgen](https://github.com/CycloneDX/cdxgen) and [syft](https://github.com/anchore/syft/).
## Requirements
- Python 3.10+
- Internet connection for accessing ClearlyDefined services
- At least one SBOM generator:
- [syft](https://github.com/anchore/syft/)
- [cdxgen](https://github.com/CycloneDX/cdxgen)
- [Docker](https://www.docker.com/) for generating SBOMs with the dockerized cdxgen
## Installation
### Install and run via pipx (Recommended)
[pipx](https://pypa.github.io/pipx/) makes installing and running Python programs easier and avoids conflicts with other packages. Install it with
```sh
pip3 install pipx
```
The following one-liner both installs and runs this program from [PyPI](https://pypi.org/project/compliance-assistant/):
```sh
pipx run compliance-assistant
```
If you want to be able to use compliance-assistant without prepending it with `pipx run` every time, install it globally like so:
```sh
pipx install compliance-assistant
```
compliance-assistant will then be available in `~/.local/bin`, which must be added to your `$PATH`.
After this, make sure that `~/.local/bin` is in your `$PATH`. On Windows, the required path for your environment may look like `%USERPROFILE%\AppData\Roaming\Python\Python310\Scripts`, depending on the Python version you have installed.
To upgrade compliance-assistant to the newest available version, run this command:
```sh
pipx upgrade compliance-assistant
```
### Other installation methods
You may also use pure `pip` or `poetry` to install this package.
## Usage
The Compliance Assistant provides multiple commands to facilitate different tasks. Each command is invoked through the `compliance-assistant` command-line interface with specific options.
Depending on your exact installation method, this may be one of
```sh
# Run via pipx
pipx run compliance-assistant
# Installation via pipx or pip
compliance-assistant
# Run via poetry
poetry run compliance-assistant
```
In the following, we will just use `compliance-assistant`.
### Command Structure
```bash
compliance-assistant <command> [<subcommand>] [subcommand-options]
```
### Commands
Please run `compliance-assistant --help` to get an overview of the commands and global options.
For each command, you can get detailed options, e.g., `compliance-assistant sbom enrich --help`.
### Examples
* Create an SBOM for the current directory using [syft](https://github.com/anchore/syft/): `compliance-assistant sbom generate -g syft -d . -o /tmp/my-sbom.json`
* Enrich an SBOM with ClearlyDefined data: `compliance-assistant sbom enrich -f /tmp/my-sbom.json -o /tmp/my-enriched-sbom.json`
* Extract certain data from an SBOM: `compliance-assistant sbom parse -f /tmp/my-enriched-sbom.json -e purl,copyright,name`
* Gather ClearlyDefined licensing/copyright information for one package: `compliance-assistant clearlydefined fetch -p pkg:pypi/inwx-dns-recordmaster@0.3.1`
* Get all licenses found in the enriched SBOM: `compliance-assistant licensing list -f /tmp/my-enriched-sbom.json -o plain`
* Get license outbound candidate based on licenses from SBOM: `compliance-assistant licensing outbound -f /tmp/my-enriched-sbom.json`
### Run as GitHub workflow
You may also use GitHub workflows to generate an SBOM regularly, e.g., on each published release:
```yaml
name: Generate and enrich SBOM
on:
release:
types: [published]
jobs:
# Generate the SBOM with syft and enrich the generated SBOM
sbom-generate-and-enrich:
runs-on: ubuntu-22.04
needs: sbom-gen
steps:
# Install compliance-assistant
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
- name: Install compliance-assistant
run: pip install compliance-assistant
# Install syft
- run: mkdir -p ~/.local/bin
- name: Install syft
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/.local/bin
# Generate SBOM with syft via compliance-assistant
- name: Generate SBOM with syft
run: poetry run compliance-assistant sbom generate -g syft -d . -o ${{ runner.temp }}/sbom-raw.json
# Enrich SBOM with compliance-assistant
- name: Enrich SBOM
run: compliance-assistant sbom enrich -f ${{ runner.temp }}/sbom-raw.json -o ${{ runner.temp }}/sbom-enriched.json
# Upload enriched SBOM as artifact
- name: Store enriched SBOM as artifact
uses: actions/upload-artifact@v4
with:
name: sbom-enriched
path: ${{ runner.temp }}/sbom-enriched.json
```
## Development and Contribution
We welcome contributions to improve Compliance Assistant. Please read [CONTRIBUTING.md](./CONTRIBUTING.md) for all information.
## License
The content of this repository is licensed under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0).
There may be components under different, but compatible licenses or from different copyright holders. The project is REUSE compliant which makes these portions transparent. You will find all used licenses in the [LICENSES](./LICENSES/) directory.
The project has been started by the [OpenRail Association](https://openrailassociation.org). You are welcome to [contribute](./CONTRIBUTING.md)!
Raw data
{
"_id": null,
"home_page": "https://github.com/OpenRailAssociation/compliance-assistant",
"name": "compliance-assistant",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.10",
"maintainer_email": null,
"keywords": "sbom, compliance, clearlydefined, cyclonedx, spdx, license, copyright, flict, compatibility",
"author": "Max Mehl",
"author_email": "max.mehl@deutschebahn.com",
"download_url": "https://files.pythonhosted.org/packages/7b/0f/2800e1025421131343aea42823c35822740362298a79def3af456fb29902/compliance_assistant-1.0.0.tar.gz",
"platform": null,
"description": "<!--\nSPDX-FileCopyrightText: 2024 DB Systel GmbH\n\nSPDX-License-Identifier: Apache-2.0\n-->\n\n# Compliance Assistant\n\n[](https://github.com/OpenRailAssociation/compliance-assistant/actions/workflows/test.yaml)\n[](https://api.reuse.software/info/github.com/OpenRailAssociation/compliance-assistant)\n[](https://pypi.org/project/compliance-assistant/)\n[](https://pypi.org/project/compliance-assistant/)\n\n**Compliance Assistant** is a comprehensive toolset designed to assist with creating and managing Software Bill of Materials (SBOMs). It helps in enriching SBOMs with licensing and copyright information and checks for Open Source license compliance using data from [ClearlyDefined](https://clearlydefined.io/).\n\n<!-- TOC -->\n- [Compliance Assistant](#compliance-assistant)\n - [Features](#features)\n - [Requirements](#requirements)\n - [Installation](#installation)\n - [Usage](#usage)\n - [Development and Contribution](#development-and-contribution)\n - [License](#license)\n<!-- /TOC -->\n\n## Features\n\n- **SBOM Generation**: Automatically generate a CycloneDX SBOM from a specified code repository.\n- **SBOM Enrichment**: Enhance an existing SBOM with detailed licensing and copyright information using ClearlyDefined data.\n- **SBOM Parsing**: Extract specific information from a CycloneDX SBOM.\n- **License and Copyright Information Retrieval**: Fetch licensing and copyright details for a single package from ClearlyDefined.\n- **License compliance support**: Extract and unify licenses from SBOM, suggest possible license outbound candidates\n\nSome of these features are made possible by excellent programs such as [flict](https://github.com/vinland-technology/flict), [cdxgen](https://github.com/CycloneDX/cdxgen) and [syft](https://github.com/anchore/syft/).\n\n## Requirements\n\n- Python 3.10+\n- Internet connection for accessing ClearlyDefined services\n- At least one SBOM generator:\n - [syft](https://github.com/anchore/syft/)\n - [cdxgen](https://github.com/CycloneDX/cdxgen)\n - [Docker](https://www.docker.com/) for generating SBOMs with the dockerized cdxgen\n\n## Installation\n\n### Install and run via pipx (Recommended)\n\n[pipx](https://pypa.github.io/pipx/) makes installing and running Python programs easier and avoids conflicts with other packages. Install it with\n\n```sh\npip3 install pipx\n```\n\nThe following one-liner both installs and runs this program from [PyPI](https://pypi.org/project/compliance-assistant/):\n\n```sh\npipx run compliance-assistant\n```\n\nIf you want to be able to use compliance-assistant without prepending it with `pipx run` every time, install it globally like so:\n\n```sh\npipx install compliance-assistant\n```\n\ncompliance-assistant will then be available in `~/.local/bin`, which must be added to your `$PATH`.\n\nAfter this, make sure that `~/.local/bin` is in your `$PATH`. On Windows, the required path for your environment may look like `%USERPROFILE%\\AppData\\Roaming\\Python\\Python310\\Scripts`, depending on the Python version you have installed.\n\nTo upgrade compliance-assistant to the newest available version, run this command:\n\n```sh\npipx upgrade compliance-assistant\n```\n\n\n### Other installation methods\n\nYou may also use pure `pip` or `poetry` to install this package.\n\n\n## Usage\n\nThe Compliance Assistant provides multiple commands to facilitate different tasks. Each command is invoked through the `compliance-assistant` command-line interface with specific options.\n\nDepending on your exact installation method, this may be one of\n\n```sh\n# Run via pipx\npipx run compliance-assistant\n# Installation via pipx or pip\ncompliance-assistant\n# Run via poetry\npoetry run compliance-assistant\n```\n\nIn the following, we will just use `compliance-assistant`.\n\n### Command Structure\n\n```bash\ncompliance-assistant <command> [<subcommand>] [subcommand-options]\n```\n\n### Commands\n\nPlease run `compliance-assistant --help` to get an overview of the commands and global options.\n\nFor each command, you can get detailed options, e.g., `compliance-assistant sbom enrich --help`.\n\n### Examples\n\n* Create an SBOM for the current directory using [syft](https://github.com/anchore/syft/): `compliance-assistant sbom generate -g syft -d . -o /tmp/my-sbom.json`\n* Enrich an SBOM with ClearlyDefined data: `compliance-assistant sbom enrich -f /tmp/my-sbom.json -o /tmp/my-enriched-sbom.json`\n* Extract certain data from an SBOM: `compliance-assistant sbom parse -f /tmp/my-enriched-sbom.json -e purl,copyright,name`\n* Gather ClearlyDefined licensing/copyright information for one package: `compliance-assistant clearlydefined fetch -p pkg:pypi/inwx-dns-recordmaster@0.3.1`\n* Get all licenses found in the enriched SBOM: `compliance-assistant licensing list -f /tmp/my-enriched-sbom.json -o plain`\n* Get license outbound candidate based on licenses from SBOM: `compliance-assistant licensing outbound -f /tmp/my-enriched-sbom.json`\n\n### Run as GitHub workflow\n\nYou may also use GitHub workflows to generate an SBOM regularly, e.g., on each published release:\n\n```yaml\nname: Generate and enrich SBOM\n\non:\n release:\n types: [published]\n\njobs:\n # Generate the SBOM with syft and enrich the generated SBOM\n sbom-generate-and-enrich:\n runs-on: ubuntu-22.04\n needs: sbom-gen\n steps:\n # Install compliance-assistant\n - name: Set up Python\n uses: actions/setup-python@v5\n with:\n python-version: \"3.12\"\n cache: \"pip\"\n - name: Install compliance-assistant\n run: pip install compliance-assistant\n # Install syft\n - run: mkdir -p ~/.local/bin\n - name: Install syft\n run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/.local/bin\n # Generate SBOM with syft via compliance-assistant\n - name: Generate SBOM with syft\n run: poetry run compliance-assistant sbom generate -g syft -d . -o ${{ runner.temp }}/sbom-raw.json\n # Enrich SBOM with compliance-assistant\n - name: Enrich SBOM\n run: compliance-assistant sbom enrich -f ${{ runner.temp }}/sbom-raw.json -o ${{ runner.temp }}/sbom-enriched.json\n # Upload enriched SBOM as artifact\n - name: Store enriched SBOM as artifact\n uses: actions/upload-artifact@v4\n with:\n name: sbom-enriched\n path: ${{ runner.temp }}/sbom-enriched.json\n```\n\n\n## Development and Contribution\n\nWe welcome contributions to improve Compliance Assistant. Please read [CONTRIBUTING.md](./CONTRIBUTING.md) for all information.\n\n\n## License\n\nThe content of this repository is licensed under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0).\n\nThere may be components under different, but compatible licenses or from different copyright holders. The project is REUSE compliant which makes these portions transparent. You will find all used licenses in the [LICENSES](./LICENSES/) directory.\n\nThe project has been started by the [OpenRail Association](https://openrailassociation.org). You are welcome to [contribute](./CONTRIBUTING.md)!\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Toolset that helps with creating and interacting with SBOMs, enriching with licensing and copyright information, and checking for Open Source license compliance",
"version": "1.0.0",
"project_urls": {
"Homepage": "https://github.com/OpenRailAssociation/compliance-assistant",
"Repository": "https://github.com/OpenRailAssociation/compliance-assistant"
},
"split_keywords": [
"sbom",
" compliance",
" clearlydefined",
" cyclonedx",
" spdx",
" license",
" copyright",
" flict",
" compatibility"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "8fcba3468345a291af4929124ecdb9d632a1c2d4e58a980e79b72c9a35e3d95e",
"md5": "783ea30e11e61056f82958fc56babd0e",
"sha256": "772866f319fa245320b2ec97546b9691c3a5ce2207dc0b0ad0f683d3b717b5a7"
},
"downloads": -1,
"filename": "compliance_assistant-1.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "783ea30e11e61056f82958fc56babd0e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.10",
"size": 37625,
"upload_time": "2024-09-20T09:23:46",
"upload_time_iso_8601": "2024-09-20T09:23:46.814067Z",
"url": "https://files.pythonhosted.org/packages/8f/cb/a3468345a291af4929124ecdb9d632a1c2d4e58a980e79b72c9a35e3d95e/compliance_assistant-1.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "7b0f2800e1025421131343aea42823c35822740362298a79def3af456fb29902",
"md5": "fdbf3b87462b2b55b7cf43ffa8369d5e",
"sha256": "890d98f06af4a13b439d1a5d9cf5fb7f4a74781efce47f491ad00c3dbe4d13d9"
},
"downloads": -1,
"filename": "compliance_assistant-1.0.0.tar.gz",
"has_sig": false,
"md5_digest": "fdbf3b87462b2b55b7cf43ffa8369d5e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.10",
"size": 30277,
"upload_time": "2024-09-20T09:23:48",
"upload_time_iso_8601": "2024-09-20T09:23:48.158105Z",
"url": "https://files.pythonhosted.org/packages/7b/0f/2800e1025421131343aea42823c35822740362298a79def3af456fb29902/compliance_assistant-1.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-20 09:23:48",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "OpenRailAssociation",
"github_project": "compliance-assistant",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "compliance-assistant"
}
JSON
