spdx / sbom-landscape

SPDX SBOM Landscape
https://landscape.spdx.dev
Apache License 2.0
15 stars 10 forks source link
sbom spdx

Netlify Status

SBOM SPDX Landscape

SBOM SPDX Landscape Logo

This landscape is intended as a map to explore the SBOM SPDX Ecosystem. It is modelled after the Cloud Native Computing Foundation (CNCF) landscape and based on the same open source code.

Current Version

SBOM SPDX Landscape

Interactive Version

Please see landscape.spdx.dev.

New Entries

Thank you for your interest in improving the SBOM Landscape! If you know of SPDX-compatible software that consumes, produces or processes Software Bill of Materials, then we'd love to add it to the SBOM Landscape.

Please let us know about such potential additions by filing an issue on GitHub, or sending an email to the spdx-outreach mailing list. If you'd like to contribute directly, please read the instructions in this README and make a pull request on GitHub.

After each pull request is made, the changes are automatically tested to make sure that the SBOM Landscape page is generated correctly. A staging server is also started so that we can make sure that the information appears correctly.

Logos

The following rules will produce the most readable and attractive logos:

  1. We require SVGs, as they are smaller, display correctly at any scale, and work on all modern browsers. If you only have the logo in another vector format (like AI or EPS), please open an issue and we'll convert it to an SVG for you, or you can often do it yourself at https://cloudconvert.com/. Note that you may need to zip your file to attach it to a GitHub issue. Please note that we require pure SVGs and will reject SVGs that contain embedded PNGs since they have the same problems of being bigger and not scaling seamlessly. We also require that SVGs convert fonts to outlines so that they will render correctly whether or not a font is installed. See Proper SVGs below.
  2. When multiple variants exist, use one with the text above or below the logo, rather than one with the text to the side.
  3. Don't use reversed logos (i.e., with a non-white, non-transparent background color). If you only have a reversed logo, create an issue with it attached and we'll produce a non-reversed version for you.
  4. Logos must include the company, product or project name (please choose the name in English if there are multiple translations). If you don't have a version of your logo with the name in it, please open an issue and we'll create one for you (and please specify the font).
  5. Match the item name to the name shown in the logo. So an Acme Rocket logo that shows "Rocket" should have the item name "Rocket", while if the logo shows "Acme Rocket", the item name should be "Acme Rocket". Otherwise, logos looks out of place when you sort alphabetically.
  6. Google images is often the best way to find a good version of the logo (but ensure it's the up-to-date version). Search for grpc logo filetype:svg but substitute your project or product name for grpc.
  7. You can either upload an SVG to the hosted_logos directory or put a URL as the value, and it will be fetched.

Proper SVGs

SVGs need to not rely on external fonts so that they will render correctly in any web browser, whether or not the correct fonts are installed. If you have the original AI file, here are the steps in Illustrator to create a proper SVG:

  1. Open file in Illustrator
  2. Select all text
  3. With the text selected, go to Object > Expand in the top menu
  4. Export file by going to File > Export > Export As in top menu
  5. Select SVG from the format drop down and make sure that "Use Artboards" is checked
  6. This will open a SVG options box, make sure to set Decimal to 5 (that is the highest possible, so to ensure that sufficient detail is preserved)
  7. Click Okay to export

Corrections

Please open a pull request with edits to landscape.yml. The file processed_landscape.yml is generated and so should never be edited directly.

If the error is with data from Crunchbase you should open an account there and edit the data. If you don't like a project description, edit it in GitHub. If your project isn't showing the license correctly, you may need to paste the unmodified text of the license into a LICENSE file at the root of your project in GitHub, in order for GitHub to serve the license information correctly.

External Data

The canonical source for all data is landscape.yml. Once a day, we download data for projects and companies from the following sources:

The update server enhances the source data with the fetched data and saves the result in processed_landscape.yml. The app loads a JSON representation of processed_landscape.yml to display data.

Best Practices Badge

As explained at https://bestpractices.coreinfrastructure.org/:

The Linux Foundation (LF) Core Infrastructure Initiative (CII) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. The CII Best Practices Badge is inspired by the many badges available to projects on GitHub. Consumers of the badge can quickly assess which FLOSS projects are following best practices and as a result are more likely to produce higher-quality secure software.

The interactive landscape displays the status (or non-existence) of a badge for each open-source project. There's also a feature not available through the filter bar to see all items with and without badges.

Non-Updated Items

We generally remove open source projects that have not had a commit in over 3 months. Note that for projects not hosted on GitHub, we need them to mirror to GitHub to fetch updates, and we try to work with projects when their mirrors are broken. Here is view of projects sorted by last update: https://landscape.spdx.dev/format=card-mode&grouping=no&license=open-source&sort=latest-commit

We generally remove closed source products when they have not tweeted in over 3 months. This doesn't apply to Chinese companies without Twitter accounts, since Twitter is blocked there. Here is a view of products sorted by last tweet: https://landscape.spdx.dev/format=card-mode&grouping=no&license=not-open-source&sort=latest-tweet

Items that have been removed can apply to be re-added using the regular New Entries criteria above.

License

This repository contains data received from Crunchbase. This data is not licensed pursuant to the Apache License. It is subject to Crunchbase’s Data Access Terms, available at https://data.crunchbase.com/v3.1/docs/terms, and is only permitted to be used with this Landscape Project which is hosted by the Linux Foundation.

Everything else is under the Apache License, Version 2.0, except for project and product logos, which are generally copyrighted by the company that created them, and are simply cached here for reliability. The trail map, static landscape, serverless landscape, and landscape.yml file are alternatively available under the Creative Commons Attribution 4.0 license.

Formats

The SBOM SPDX Landscape is available in these formats:

Installation

You can install and run locally with the install directions. It's not necessary to install locally if you just want to edit landscape.yml. You can do so via the GitHub web interface.

Vulnerability reporting

Please open an issue or, for sensitive information, email info@cncf.io.

Adjusting the Landscape View

The file src/components/MainContent2.js describes the key elements of a landscape big picture. It specifies where to put these sections: App Definition and Development, Orchesteration & Management, Runtime, Provisioning, Cloud, Platform, Observability and Analyzis, Special. Also it specifies where to locate the link to the serverless preview and an info with a QR code.

All these elements should have top, left, width and height properties to position them. rows and cols specify how much columns or rows we expect in a given horizontal or vertical section.

When we see that those elements can not fit the sections, we need to either increase the width of all the horizontal sections, or increase height and amount of rows in a single horitzontal section and adjust the position of sections below.

Beside that, we have to adjust the width of a parent div (1620), the width in a src/components/BigPicture/FullscreenLandscape.js (1640) and the width in a tools/renderLandscape.js (6560, because of x4 zoom and margins)

Sometimes the total height is changed too, then we need to adjust the height the same way as we adjust the width.

We have an experimental fitWidth property, it is good when you want to get rid of an extra space on the right of a section.

The best way to test that layout is ok, is to visit /landscape, and if it looks ok, run PORT=3000 babel-node tools/renderLandscape and see the rendered png files, they are in src/images folder.