vcpkg-sbom


Namevcpkg-sbom JSON
Version 0.0.6 PyPI version JSON
download
home_pagehttps://github.com/moverseai/vcpkg-sbom/
SummaryA python CLI tool to extract a merged software bill of materials and license info from a vcpkg manifest.
upload_time2024-10-15 20:09:23
maintainerNone
docs_urlNone
authorMoverse P.C.
requires_python>=3.8
licenseNone
keywords software-bill-of-materials developer-tools sbom spdx vcpkg license eula cpp c++ dependencies oss
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # 📓 Software Bill-of-Materials for `vcpkg` manifests.

[![Python Version](https://img.shields.io/pypi/pyversions/vcpkg-sbom.svg)](https://pypi.org/project/vcpkg-sbom)
[![PyPI](https://img.shields.io/pypi/v/vcpkg-sbom.svg)](https://pypi.org/project/vcpkg-sbom)
![PyPI - Wheel](https://img.shields.io/pypi/wheel/vcpkg-sbom)
![PyPI - Status](https://img.shields.io/pypi/status/vcpkg-sbom)
[![GitHub Release Date](https://img.shields.io/github/release-date/moverseai/vcpkg-sbom)](https://github.com/moverseai/vcpkg-sbom/releases)
[![PyPI - Downloads](https://img.shields.io/pypi/dm/vcpkg-sbom?style=plastic&logo=python&logoColor=magenta&color=magenta&link=https%3A%2F%2Fpypi.org%2Fproject%2Fvcpkg-sbom%2F)](https://pypi.org/project/vcpkg-sbom/)

![GitHub repo size](https://img.shields.io/github/repo-size/moverseai/vcpkg-sbom)
[![PyPI - License](https://img.shields.io/pypi/l/vcpkg-sbom)](https://github.com/moverseai/vcpkg-sbom/blob/main/LICENSE)
[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
[![Black Format](https://github.com/moverseai/rerun-animation/actions/workflows/black.yaml/badge.svg)](https://github.com/moverseai/vcpkg-sbom/actions/workflows/black.yaml)
[![Discord](https://dcbadge.limes.pink/api/server/bQc7B6qSPd?style=flat)](https://discord.gg/bQc7B6qSPd)

___

<!-- [![Downloads](https://static.pepy.tech/badge/rerun-animation/month)](https://pepy.tech/project/rerun-animation) -->

>A python command line tool to extract a combined software bill of materials and license info from a vcpkg manifest.

## Installation

### :snake: [PyPi](https://pypi.org/project/vcpkg-sbom/)

Open a command line and run:
```py
pip install vcpkg-sbom
```

---

### :octocat: Local

Downlaod the repo:
```sh
git clone https://github.com/moverseai/vcpkg-sbom vcpkg-sbom
cd vcpkg-sbom
```

From the repo's root path run:

```py
pip install .
```

For an editable install run:

```py
pip install -e .
```

## :keyboard: Usage

```sh
vcpkg-sbom PATH/TO/PROJECT/vcpkg_installed
```

| ID | Package |
|:---:|:---|
| 0  | package name #1 |
| 1  | package name #2 |
| 2  | package name #3 |
| ... | package name #N |

Merging spdx:  ━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Extracting & merging copyrights ...      

Merging copyrights:  ━━━━━━━━━━━━━━━━━━   0% -:--:--

> [!NOTE]  
> The output file is a `SPDX-2.3` `SPDXRef-DOCUMENT` that merges all available `*.spdx.json` files from the manifest's installed packages.

> [!TIP]  
> The default `triplet` is `x64-windows` and is appended to the cmd line given path before searching for all installed packages.

> [!IMPORTANT]  
> The output files (`*.spdx.json`, and optionally, `*_license_info.json` and `*_EULA.txt`) are written to the current working directory from where the command was executed.

---

### 🔧 Command Line API

```bash
$ vcpkg-sbom --help
usage: A software bill of materials extracter and merger for `vcpkg` manifest projects.

positional arguments:
  vcpkg_root            Path to the `vcpkg_installed` folder of your manifest project.

options:
  -h, --help            show this help message and exit
  -t TRIPLET, --triplet TRIPLET
                        The `vcpkg` triplet to use.
  -p PROJECT, --project PROJECT
                        The project's name that will be used for the merged output files.
  -n NAMESPACE, --namespace NAMESPACE
                        The software's namespace to use for the `spdx` file.
  -o ORGANIZATION, --organization ORGANIZATION
                        The organization or company name to use for the `spdx` file.
  -e EMAIL, --email EMAIL
                        The email to use for the `spdx` file.
  -c, --copyright       Additionally extract and merge all copyright files in a `*.txt` file.
  -l, --license         Additionally extract and merge all license types in a `*.json` file.
```

> [!IMPORTANT]
> Default values:
>   - `triplet`: _x64-windows_
>   - `project`: _project_
>   - `namespace`: _https://spdx.org/spdxdocs/_
>   - `organization`: _org_
>   - `email`: _info@org.com_
>   - `copyright`: flag to enable copyright file merging
>   - `license`: flag to enable license info merging


> [!TIP]  
> Info on how to choose a proper namespace can be found [here](https://spdx.github.io/spdx-spec/v2-draft/document-creation-information/#65-spdx-document-namespace-field)

## Acknowledgements / Material

- vcpkg` spdx [info](https://learn.microsoft.com/en-us/vcpkg/reference/software-bill-of-materials) and [discussion](https://github.com/microsoft/vcpkg/discussions/40700) @ Microsoft docs
- The merging code was adapted from https://github.com/philips-software/SPDXMerge
- The `jq` script [here](https://edgebit.io/blog/merge-two-sboms/) is a nice alternative
- [licensecpp](https://github.com/cenit/licencpp/tree/master) is another approach starting from the `vcpkg` manifest.json file.

## Disclaimer / Limitations

> [!WARNING]
> As indicated at the `vcpkg` [docs](https://learn.microsoft.com/en-us/vcpkg/reference/vcpkg-json#license):
> _The licensing information provided for each package in the vcpkg registry represents Microsoft's best understanding of the licensing requirements. However, this information may not be definitive. Users are advised to verify the exact licensing requirements for each package they intend to use, as it is ultimately their responsibility to ensure compliance with the applicable licenses._

While `vcpkg` offers a lot of information about licensing, this information should be scrutinized. Any tool that builds on top of this information provided by `vcpkg` is reliant on the legibility of the provided data, and should thus, be also scrutinized for correctness.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/moverseai/vcpkg-sbom/",
    "name": "vcpkg-sbom",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.8",
    "maintainer_email": null,
    "keywords": "software-bill-of-materials, developer-tools, sbom, spdx, vcpkg, license, eula, cpp, c++, dependencies, oss",
    "author": "Moverse P.C.",
    "author_email": "info@moverse.ai",
    "download_url": "https://files.pythonhosted.org/packages/81/06/37858b7413c9a3fda9daf78584bb25664a6e2a61275782c6308277e7b596/vcpkg_sbom-0.0.6.tar.gz",
    "platform": null,
    "description": "# \ud83d\udcd3 Software Bill-of-Materials for `vcpkg` manifests.\n\n[![Python Version](https://img.shields.io/pypi/pyversions/vcpkg-sbom.svg)](https://pypi.org/project/vcpkg-sbom)\n[![PyPI](https://img.shields.io/pypi/v/vcpkg-sbom.svg)](https://pypi.org/project/vcpkg-sbom)\n![PyPI - Wheel](https://img.shields.io/pypi/wheel/vcpkg-sbom)\n![PyPI - Status](https://img.shields.io/pypi/status/vcpkg-sbom)\n[![GitHub Release Date](https://img.shields.io/github/release-date/moverseai/vcpkg-sbom)](https://github.com/moverseai/vcpkg-sbom/releases)\n[![PyPI - Downloads](https://img.shields.io/pypi/dm/vcpkg-sbom?style=plastic&logo=python&logoColor=magenta&color=magenta&link=https%3A%2F%2Fpypi.org%2Fproject%2Fvcpkg-sbom%2F)](https://pypi.org/project/vcpkg-sbom/)\n\n![GitHub repo size](https://img.shields.io/github/repo-size/moverseai/vcpkg-sbom)\n[![PyPI - License](https://img.shields.io/pypi/l/vcpkg-sbom)](https://github.com/moverseai/vcpkg-sbom/blob/main/LICENSE)\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n[![Black Format](https://github.com/moverseai/rerun-animation/actions/workflows/black.yaml/badge.svg)](https://github.com/moverseai/vcpkg-sbom/actions/workflows/black.yaml)\n[![Discord](https://dcbadge.limes.pink/api/server/bQc7B6qSPd?style=flat)](https://discord.gg/bQc7B6qSPd)\n\n___\n\n<!-- [![Downloads](https://static.pepy.tech/badge/rerun-animation/month)](https://pepy.tech/project/rerun-animation) -->\n\n>A python command line tool to extract a combined software bill of materials and license info from a vcpkg manifest.\n\n## Installation\n\n### :snake: [PyPi](https://pypi.org/project/vcpkg-sbom/)\n\nOpen a command line and run:\n```py\npip install vcpkg-sbom\n```\n\n---\n\n### :octocat: Local\n\nDownlaod the repo:\n```sh\ngit clone https://github.com/moverseai/vcpkg-sbom vcpkg-sbom\ncd vcpkg-sbom\n```\n\nFrom the repo's root path run:\n\n```py\npip install .\n```\n\nFor an editable install run:\n\n```py\npip install -e .\n```\n\n## :keyboard: Usage\n\n```sh\nvcpkg-sbom PATH/TO/PROJECT/vcpkg_installed\n```\n\n| ID | Package |\n|:---:|:---|\n| 0  | package name #1 |\n| 1  | package name #2 |\n| 2  | package name #3 |\n| ... | package name #N |\n\nMerging spdx:  \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100% 0:00:00\n\nExtracting & merging copyrights ...      \n\nMerging copyrights:  \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501   0% -:--:--\n\n> [!NOTE]  \n> The output file is a `SPDX-2.3` `SPDXRef-DOCUMENT` that merges all available `*.spdx.json` files from the manifest's installed packages.\n\n> [!TIP]  \n> The default `triplet` is `x64-windows` and is appended to the cmd line given path before searching for all installed packages.\n\n> [!IMPORTANT]  \n> The output files (`*.spdx.json`, and optionally, `*_license_info.json` and `*_EULA.txt`) are written to the current working directory from where the command was executed.\n\n---\n\n### \ud83d\udd27 Command Line API\n\n```bash\n$ vcpkg-sbom --help\nusage: A software bill of materials extracter and merger for `vcpkg` manifest projects.\n\npositional arguments:\n  vcpkg_root            Path to the `vcpkg_installed` folder of your manifest project.\n\noptions:\n  -h, --help            show this help message and exit\n  -t TRIPLET, --triplet TRIPLET\n                        The `vcpkg` triplet to use.\n  -p PROJECT, --project PROJECT\n                        The project's name that will be used for the merged output files.\n  -n NAMESPACE, --namespace NAMESPACE\n                        The software's namespace to use for the `spdx` file.\n  -o ORGANIZATION, --organization ORGANIZATION\n                        The organization or company name to use for the `spdx` file.\n  -e EMAIL, --email EMAIL\n                        The email to use for the `spdx` file.\n  -c, --copyright       Additionally extract and merge all copyright files in a `*.txt` file.\n  -l, --license         Additionally extract and merge all license types in a `*.json` file.\n```\n\n> [!IMPORTANT]\n> Default values:\n>   - `triplet`: _x64-windows_\n>   - `project`: _project_\n>   - `namespace`: _https://spdx.org/spdxdocs/_\n>   - `organization`: _org_\n>   - `email`: _info@org.com_\n>   - `copyright`: flag to enable copyright file merging\n>   - `license`: flag to enable license info merging\n\n\n> [!TIP]  \n> Info on how to choose a proper namespace can be found [here](https://spdx.github.io/spdx-spec/v2-draft/document-creation-information/#65-spdx-document-namespace-field)\n\n## Acknowledgements / Material\n\n- vcpkg` spdx [info](https://learn.microsoft.com/en-us/vcpkg/reference/software-bill-of-materials) and [discussion](https://github.com/microsoft/vcpkg/discussions/40700) @ Microsoft docs\n- The merging code was adapted from https://github.com/philips-software/SPDXMerge\n- The `jq` script [here](https://edgebit.io/blog/merge-two-sboms/) is a nice alternative\n- [licensecpp](https://github.com/cenit/licencpp/tree/master) is another approach starting from the `vcpkg` manifest.json file.\n\n## Disclaimer / Limitations\n\n> [!WARNING]\n> As indicated at the `vcpkg` [docs](https://learn.microsoft.com/en-us/vcpkg/reference/vcpkg-json#license):\n> _The licensing information provided for each package in the vcpkg registry represents Microsoft's best understanding of the licensing requirements. However, this information may not be definitive. Users are advised to verify the exact licensing requirements for each package they intend to use, as it is ultimately their responsibility to ensure compliance with the applicable licenses._\n\nWhile `vcpkg` offers a lot of information about licensing, this information should be scrutinized. Any tool that builds on top of this information provided by `vcpkg` is reliant on the legibility of the provided data, and should thus, be also scrutinized for correctness.\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "A python CLI tool to extract a merged software bill of materials and license info from a vcpkg manifest.",
    "version": "0.0.6",
    "project_urls": {
        "Documentation": "https://github.com/moverseai/vcpkg-sbom/",
        "Homepage": "https://github.com/moverseai/vcpkg-sbom/",
        "Source": "https://github.com/moverseai/vcpkg-sbom/"
    },
    "split_keywords": [
        "software-bill-of-materials",
        " developer-tools",
        " sbom",
        " spdx",
        " vcpkg",
        " license",
        " eula",
        " cpp",
        " c++",
        " dependencies",
        " oss"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "dd6913678287877c331de61512be2658a92ad95194681fc65ec717036c16ad41",
                "md5": "e254d745c1ecf5db8a08ff5898ead260",
                "sha256": "26f4bc67292aec68bcf2950fc345322abc67ba99f761a80b8bf8c221610de4dd"
            },
            "downloads": -1,
            "filename": "vcpkg_sbom-0.0.6-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "e254d745c1ecf5db8a08ff5898ead260",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.8",
            "size": 7742,
            "upload_time": "2024-10-15T20:09:22",
            "upload_time_iso_8601": "2024-10-15T20:09:22.599698Z",
            "url": "https://files.pythonhosted.org/packages/dd/69/13678287877c331de61512be2658a92ad95194681fc65ec717036c16ad41/vcpkg_sbom-0.0.6-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "810637858b7413c9a3fda9daf78584bb25664a6e2a61275782c6308277e7b596",
                "md5": "b68051b8416fe747aebe739cd3e204f4",
                "sha256": "39de054d514196126a7735a016c9231d700b92763bd1fe66e0b82f86bd8d5db7"
            },
            "downloads": -1,
            "filename": "vcpkg_sbom-0.0.6.tar.gz",
            "has_sig": false,
            "md5_digest": "b68051b8416fe747aebe739cd3e204f4",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.8",
            "size": 9939,
            "upload_time": "2024-10-15T20:09:23",
            "upload_time_iso_8601": "2024-10-15T20:09:23.747321Z",
            "url": "https://files.pythonhosted.org/packages/81/06/37858b7413c9a3fda9daf78584bb25664a6e2a61275782c6308277e7b596/vcpkg_sbom-0.0.6.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-10-15 20:09:23",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "moverseai",
    "github_project": "vcpkg-sbom",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "requirements": [],
    "lcname": "vcpkg-sbom"
}
        
Elapsed time: 0.39034s