SBoM Compliance Tool
~/opt/software-compliance-org/sbom-compliance-tool ~/opt/software-compliance-org/www Already up to date. ~/opt/software-compliance-org/www
SBoM Compliance Tool … License Certainty, Built-in.
SBoM Compliance Tool is a set of tools designed to automate and verify open-source compliance within the Software Bill of Materials (SBOM) ecosystem.
While there are many tools that generate SBOMs (like cdxgen), SBoM Compliance Tool is specialized for the governance phase.
Example question with an SBoM Compliance Tool answer
Now that I have this list of 500 components in an SBoM (our-product.cyclonedx.json), are we legally allowed to ship this product?
$ sbom-compliance-tool our-product.cyclonedx.json
Introduction
The primary goal of the toolkit is to bridge the gap between SBOM generation (knowing what’s in your software) and compliance enforcement (ensuring those components adhere to legal and organizational policies). It focus on:
-
Validation: Ensuring that an SBOM (often in SPDX or CycloneDX formats) is not only syntactically correct but also contains the necessary licensing and copyright information required for legal compliance.
-
Policy Checking: Automating the process of checking whether the discovered licenses in an SBOM are “cleared” or “approved” according to a specific policy.
-
Workflow Integration: Providing a way to integrate these checks into CI/CD pipelines to catch compliance issues before software is released.
Who should use SBoM Compliance tool?
Architectural overview
SBoM Compliance Tool uses Licomp Toolkit to verify compatibility and compliance with the Open Source licenses found in your SBoM.
Using SBoM Compliance Tool
License
SBoM Compliance Tool is released in GPL-3.0-or-later
Installing SBoM Compliance Tool
See Installing SBoM Compliance Tool
About this page
This page was automatically generated from ssh://git@codeberg.org/software-compliance-org/sbom-compliance-tool/src/branch/main/README.md