SBOM license summarizer is a Github-Action that collects SBOM-files from a list of provided repositories and summarizes and groups them by license. The resulting JSON is provided as an output variable.
example:
steps:
- name: Summarise SVS-SBOMs
id: summary
uses: hpi-schul-cloud/[email protected]
with:
filename: dependencies.sbom.json
repos: hpi-schul-cloud/tldraw-server:33.0.0;hpi-schul-cloud/schulcloud-client:33.0.0;hpi-schul-cloud/schulcloud-server:33.0.0
- name: work with json
run: echo '${{ toJson(steps.summary.outputs.json) }}'| name | description |
|---|---|
| filename | name of the json-file containing the SBOM information in SPDX format |
| repos | list of repositories separated by semicolon - each entry in the format { project }/{ repo }@{ version };{ project }/s ... |
example:
with:
filename: dependencies.sbom.json
repos: hpi-schul-cloud/tldraw-server:33.0.0;hpi-schul-cloud/schulcloud-client:33.0.0;hpi-schul-cloud/schulcloud-server:33.0.0| name | description |
|---|---|
| json | summarizing json - grouped by license |
example:
{
"Apache License 2.0": {
"licenseText": "Apache License\nVersion 2.0, January 2004\nhttp://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUC...",
"components": [
"@ampproject/[email protected]",
"@eslint/[email protected]",
...
]
},
"Blue Oak Model License 1.0.0": {
"licenseText": "# Blue Oak Model License\n\nVersion 1.0.0\n\n## Purpose\n\nThis license gives everyone as much permission to work with\nthis software as possible, while protecting contributors\nfrom liability....",
"components": [
"[email protected]",
"[email protected]",
"[email protected]"
]
},
"BSD 2-Clause \"Simplified\" License": {
...When changing the code in this action, you need to run npm run build afterwards and need to push not only your changes - but also the generated /dist/index.js file.
This is necessary as the action is run directly without installing any dependencies. The build script bundles the action's sourcecode and the dependencies into a single javascript file, that is directly executable.
Hint
When trying to test the changes from within another github workflow, you need to keep in mind, that you have to adapt the action call by updating/replacing the version with the current commit SHA - in order to ensure that the newest version of the action will be executed.
steps:
- name: Summarise SVS-SBOMs
id: summary
uses: hpi-schul-cloud/[email protected]becomes:
steps:
- name: Summarise SVS-SBOMs
id: summary
uses: hpi-schul-cloud/sbom-summarizer@878e288f16f32be59bd19b12dd668a7874df7f06After finishing the implementation it makes sense to tag a new version in this repo so that other workflows can directly address it:
uses: hpi-schul-cloud/[email protected]