Open freedomtan opened 1 month ago
I've used anchor/syft to generate the SBOM (Software list of materials). More info is here: https://github.com/anchore/syft Next, by using sbom-utility: https://github.com/CycloneDX/sbom-utility, I've generated the list of the licenses. The only drawback is the duplication, which we can resolve.
Please find attached sbom, and licenses files licenses.txt sbom.json
@RSMNYS Please try to use syft and sbom-util, so that we can automatically generate "licenses.txt" in our current CI/CD. Please try to send a PR for this.
here are the instructions how to generate sbom and then convert to the list of licenses:
Install syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
Run syft from the directory
syft -o cyclonedx-json . --exclude './react' > sbom-cyclonedx.json --verbose
convert sbom to the licenses list
./sbom-utility license list -i /Volumes/work/Programming/ScopicSoftware/MLCommons/mobile/sbom-cyclonedx.json --summary --quiet -o licenses.txt
While this works to some degree, I found another tool that is used for the licenses check: scancode-toolkit ( https://github.com/nexB/scancode-toolkit). It scans through the files and trying to find the licenses in those. And looks like it identifies more licenses than the approach above. The output is in the json, so we can use some script to extract the info.
@freedomtan @anhappdev I found yet another tool, I'm using a free version of it, and results are really good. And we can use the free version for our needs. I'm attaching the list that the tool is able to generate. Furthermore we can use the API to fully automate it. Please check.
@RSMNYS please try to group packages with the same license together and then talk to Scott (@nathanw-mlc I don't know Scott's handle).
I don't know Scott's handle
@swasson488
Let's ping Scott @swasson488 after @RSMNYS finish the grouping of licenses.
Hi guys! Here is the grouped licenses. Prepared the python script which parses the output from fossa service, and groups packages by license type. grouped_packages_licenses.txt
@RSMNYS to check with some legal guys to see if we can further reduce the file size.
Thanks, folks. Do let me know if there's any further consolidation possible. Otherwise, this is still very helpful and yeah, lots of different components with at least two different licenses.
Scott
On Tue, May 14, 2024 at 12:16 AM Koan-Sin Tan @.***> wrote:
@RSMNYS https://github.com/RSMNYS to check with some legal guys to see if we can further reduce the file size.
— Reply to this email directly, view it on GitHub https://github.com/mlcommons/mobile_app_open/issues/873#issuecomment-2109302688, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFC3WA5BPNH2DIQKEDLCXKTZCGM4FAVCNFSM6AAAAABFWL2WSOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBZGMYDENRYHA . You are receiving this because you were mentioned.Message ID: @.***>
I spent some time testing the https://fossa.com mentioned by @RSMNYS. I think the HTML version of the report looks quite good and we can include it either in the app as HTML file or as a web link: https://app.fossa.com/reports/eb25eabe-7e15-45fb-ac34-b1f1cd848b03
They also has warnings for possible licensing issue: https://app.fossa.com/projects/custom%2B44937%2Fmobile_app_open-master
Let's try to list all the 3rd party components and corresponding licenses we used.