rules_license

CI:

This repository contains a set of rules and tools for

• declaring metadata about packages, such as
  • the licenses the package is available under
  • the canonical package name and version
  • copyright information
  • ... and more TBD in the future
• gathering license declarations into artifacts to ship with code
• applying organization specific compliance constriants against the set of packages used by a target.
• producing SBOMs for built artifacts.

WARNING: The code here is still in active initial development and will churn a lot.

Contact

If you want to follow along:

• Mailing list: bazel-ssc@bazel.build
• Monthly eng meeting: calendar link
• Latest docs

Roadmap

Last update: October 22, 2023

Q4 2023

• Reference implementation for "packages used" tool
  • produce JSON output usable for SBOM generation or other compliance reporting.
• Reference implementation for an SPDX SBOMM generator
  • Support for reading bzlmod lock file
  • Support for reading maven lock file
• "How To" guides
  • produce a license audit
  • produce an SBOM

Q1 2024

• Add support for other package manager lock file formats
  • ? Python
  • Golang
  • NodeJS
• More SPDX SBOM fields
  • support for including vendor SBOMs

Beyond

• Performance improvements

• Sub-SBOMs for tools

• TBD

Background reading:

These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.

• License Checking with Bazel.
• OSS Licenses and Bazel Dependency Management
• Adding OSS license declarations to Bazel