Introduction

The Clearing Automation Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Debian project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing. The tool helps the developer/project manager to enable the clearing process faster by reducing the manual effort of creating SW360 and FOSSology workflows.

This tool has been logically split into 3 different executables that enable it to be used as separate modules as per the user's requirement.

Note: CA Tool internally uses Syft for component detection for debian type projects.

Package Installation

Install from GitHub Release (Official)

Use container image

docker pull ghcr.io/siemens/continuous-clearing

Use Binary

Download the .nupkg file from GitHub Releases

Execution via terminal

The Clearing Automation Tool has 3 executables.

you can run CATool as container or as a dotnet package,

Run as container

Execute them in the following order to achieve the complete License clearing process.

1. Package Identifier - This executable takes package-lock.json or a cycloneDX BOM as input and provides a CycloneDX BOM file as output. For each of the component the availability in jfrog artifactory is identified and added in the BOM file.

docker run --rm -it -v /path/to/InputDirectory:/mnt/Input -v /path/to/OutputDirectory:/mnt/Output -v /path/to/LogDirectory:/var/log -v /path/to/configDirectory:/etc/CATool ghcr.io/siemens/continuous-clearing dotnet PackageIdentifier.dll --settingsfilepath /etc/CATool/appSetting.json

• Input (i.e., /path/to/InputDirectory -> place to keep input files)
• Output (i.e.,/path/to/OutputDirectory -> resulted files will be stored here)
• Log (i.e., /path/to/logDirectory -> logs will be stored here)
• Configuration (i.e., /path/to/ConfigDirectory -> place to keep the Config files i.e appSetting.json)

2. SW360 Package Creator - This executable expects the CycloneDX BOM as the input, creates the missing components/releases in SW360 and links all the components to the respective project in SW360 portal and triggers the fossology upload.

docker run --rm -it -v /path/to/OutputDirectory:/mnt/Output -v /path/to/LogDirectory:/var/log -v /path/to/configDirectory:/etc/CATool ghcr.io/siemens/continuous-clearing dotnet SW360PackageCreator.dll --settingsfilepath /etc/CATool/appSetting.json

3. Artifactory Uploader - This executable takes CycloneDX BOM which is updated by the SW360PackageCreator.dll as input and uploads the components that are already cleared (clearing state - "Report approved") to the SIPARTY release repo in Jfrog Artifactory.

 docker run --rm -it -v /path/to/OutputDirectory:/mnt/Output -v /path/to/LogDirectory:/var/log -v /path/to/configDirectory:/etc/CATool ghcr.io/siemens/continuous-clearing dotnet ArtifactoryUploader.dll --settingsfilepath /etc/CATool/appSetting.json

Run as dotnet package

Extract the downloaded .nupkg package , execute the following commands inside the tools folder.

1. Package Identifier - This executable takes package-lock.json as input and provides a CycloneDX BOM file as output. For each of the component the availability in jfrog artifactory is identified and added in the BOM file.

  PackageIdentifier.exe --settingsfilepath /<Config_Path>/appSetting.json

2. SW360 Package Creator - This executable expects the CycloneDX BOM as the input, creates the missing components/releases in SW360 and links all the components to the respective project in SW360 portal and triggers the fossology upload.

 SW360PackageCreator.exe --settingsfilepath /<Config_Path>/appSetting.json

3. Artifactory Uploader - This executable takes CycloneDX BOM which is updated by the SW360PackageCreator.dll as input and uploads the components that are already cleared (clearing state - "Report approved") to the SIPARTY release repo in Jfrog Artifactory.

  ArtifactoryUploader.exe --settingsfilepath /<Config_Path>/appSetting.json

Detailed insight on configuration and execution is provided in Usage Doc.

Note: ArtifactoryUploader is not applicable for Debian clearing.

Development

These instructions will get the project up and running on your local machine for development and testing purposes.

Prerequisite

1. Download Visual Studio 2022.
2. Download Docker latest version.
3. Docker image of Clearing Automation tool to be loaded locally.

Building via .NET SDK

• Clone the repo in your local directory
• Inside the src folder, execute the following command to build the source code :

dotnet build --configuration Release

Creating Docker image

Execute the following command inside the project's root directory where the Dockerfile is present to create an image :

docker build -t <DockerImageName> -f Dockerfile .

Creating Dotnet package

Execute the following command inside the project's root directory :

nuget pack CA.nuspec

Contribute

Improvements are always welcome! Feel free to log a bug, write a suggestion or contribute code via merge request. To build and test the solution locally you should have .NET Core 6 installed. All details are listed in our contribution guide. See CONTRIBUTING.md.

License

Code and documentation under MIT License

Third-party software components list:

• ReadmeOSS_continuous-clearing_nupkg
• ReadmeOSS_continuous-clearing_DockerImage

Copyright 2023 Siemens AG