Skip to content

Generating SBOM for Eclipse Projects

Sort out a means for generating SBOMs for Eclipse Projects. I'm using this issue keep track of some of my exploration on the topic. At least for now.

SPDX is a contender. It's mature and well-regarded. We've been flirting with SPDX for a while now. We use their license identifiers (and the SPDX-License-Identifier tag) pretty thoroughly, and have made a couple of false starts with the SPDX SBOM file formats.

There tools that our committers might use to generate SBOM files for their projects.   Scancode Toolkit, which our Genie process uses to identify licenses in third-party content, has a feature where it will generate an SBOM for the content it reviews. I turned it on some of our project code to see what it could do. This tool does a good job of capturing license and copyright information for the sources that it scans, but doesn't capture references to leveraged content (third-party content). It only scans the content that you give it, it doesn't know how to deal with build files and what-not to sort out dependencies.

Scancode also tends to identify false positive references to licenses that make is hard to rely on fully automatic generation (ideally, it would be good to be have greater ability to hint the scanner to have it avoid things that to a human mind are obviously not license references).

I looked at some SPDX tools, including the SPDX Maven Plugin for generating the SBOM. Again, these do a good job with the scanning project code that contains SPDX-License-Identifier tags, but is not particularly good at extracting copyright and has limited capabilities with references.

The Dash License Tool does a pretty good job on capturing information about leveraged content, but does nothing with project code, and currently does not output in any SPDX format. There's a feature to generate a DEPENDENCIES file which a few projects have started doing (e.g., Eclipse EGit, Eclipse Dash).

Ultimately, something like ORT is probably the right answer. I've only started investigating, but--at least at first blush--it seems like an all-of-the-above sort of solution. Unfortunately, it's not something that committers can easily install and use, so we're probably looking at needing to set up some sort of automated (and supported) service if we decide to go that route. 

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent