A simple application to crawl your Github repositories, export SBOMs in SPDX format, and ingest these for licensing analysis.
Note: I take no responsibility for the legal correctness of the output of this tool. I would also caution that the SPDX files produced by Github seem a bit rough around the edges at times.
This project is very early stage - it's pretty rough around the edges, has no tests, and is limited in features. Expect a bunch of breaking changes as I learn more about the world of processing SBOMs.
- Crawl Github repositories extracting SBOM's using a PAT (Github Personal Access Token)
- Fills in gaps for
npmpackages by reading metadata from the NPM Registry directly - Render back summary and detail views, including risk categories
- More filtering, sorting, etc options
- Export to CSV / spreadsheet report
- Allow upload of a SPDX file directly rather than crawling Github
- Allow overriding data, eg: correct a license
- Pull in CVE alerts
- Tidy up the API, it's a bit haphazard right now
- Add tests
First, run the development server:
corepack enable
yarn
cp .env.example .env # modify settings as needed
yarn devOpen http://localhost:3000 to use the application.
Data will be written to the sqlite db specified by DB_PATH.
- Implemented as a single NextJS application.
- mui is used as the component library
- sqlite is used as the database for data persistence
- Database migrations are generated/managed by atlas, see migrate.sh / migrate-generate.sh
- Database schema is introspected to produce zod schemas for each table, using a script I haven't published anywhere yet
- An basic openapi.yaml specification is used to generate most of the client/server glue using experimental nextjs template
- mnahkies/openapi-code-generator is also used to generate the Github client
- License data was scraped from dependency-track