Creates an SPDX 2.3 Software Bill of Materials based on the provided files, per ReUSE Software specification.
⚠️ NOTE⚠️ ReuseIt (and its owner) are not part of a law firm and, as such, the owner nor the application provide legal advise. Using ReuseIt does not constitute legal advice or create an attorney-client relationship.
ReuseIt is created for the aggregation of Copyright and License information provided by the users in the files stored in their repositories. In the end, the users of ReuseIt are responsible for the correctness of the generated Software Bill of Materials, the associated licenses, and attributions. For that reason, ReuseIt is provided on an "as-is" basis and makes no warranties regarding any information or licenses provided on or through it, and disclaims liability for damages resulting from using the application.
- Easy to use
- Create SPDX 2.3 Software Bill of Materials
- Leverage the Reuse Software specification
import { SoftwareBillOfMaterials } from "@dev-build-deploy/reuse-it";
// Create an empty Software Bill of Materials
const sbom = new SoftwareBillOfMaterials("Example Project", "Example Tool v0");
// Add associated (related) files
await sbom.addFile("src/spdx/sbom.ts");
// Show the results
console.log(JSON.stringify(sbom, null, 2))Example output
This will result in an SPDX 2.3 SBoM;
{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"documentNamespace": "http://spdx.org/spdxdocs/spdx-v2.3-45eae250-b782-46dd-9723-62ec3bed2a7c",
"dataLicense": "CC0-1.0",
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-26277ea6651754576f3b48212813e2c9c26e7464"
}
],
"files": [
{
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "32ac7ea6fbf35e1a03662715a1a345ccc569d05d"
}
],
"fileContributors": [],
"fileTypes": [],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"MIT"
],
"attributionTexts": [],
"fileName": "./src/spdx/sbom.ts",
"SPDXID": "SPDXRef-26277ea6651754576f3b48212813e2c9c26e7464",
"copyrightText": "2023 Kevin de Jong <monkaii@hotmail.com>"
}
],
"name": "Example Project",
"creationInfo": {
"comment": "Generated by Example Tool v0",
"created": "2023-01-01T00:00:00.000Z",
"creators": [
"Tool: Example Tool v0"
]
}
}Per the ReUSE Software specification, you can cover your files with the following approaches:
- Adding a comment header in your files;
SPDX-FileCopyrightText: 2023 Kevin de Jong <monkaii@hotmail.com>
SPDX-License-Identifier: MIT- Adding a
.licensefile next to your (binary) files - Using DEP5 allows for specifying copyright and licensing in bulk
Please refer to the Reuse specification for more details.
NOTE: Support for
.licensefiles is still under construction
To enrich your SPDX 2.3 SBOM, additional File Tags can be used to add additional information to each file. For example:
SPDX-FileCopyrightText: 2023 Kevin de Jong <monkaii@hotmail.com>
SPDX-FileType: DOCUMENTATION
SPDX-License-Identifier: MIT
SPDX-FileLicenseConcluded: MIT
SPDX-FileLicenseComments: This file is original work of the copyright holder, and therefor the license specified in the file is correct.
SPDX-FileComment: This file is part of the public documentation.
SPDX-FileContributor: Kevin de JongReuseMe attempts to limit the number of false positive hits by;
- Only scanning the first 1024 characters of your files
- Ensure that
SPDX-tags are the first words on a line
In case you do run into a false-positive match, you can use the REUSE-IgnoreStart and REUSE-IgnoreEnd tags to ignore snippets.
function foo(bar: string) {
// REUSE-IgnoreStart
if (bar.includes(
"SPDX-FileCopyrightText is important"
)) {
console.log("Ru-roh")
}
// REUSE-IgnoreEnd
}If you have suggestions for how reuse-it could be improved, or want to report a bug, open an issue! We'd love all and any contributions.
For more, check out the Contributing Guide.
- MIT © 2023 Kevin de Jong <monkaii@hotmail.com>