While producing a bill-of-materials, a private metadata cache is desirable to augment the publicly available metadata with local curations and store metadata for packages that are not publicly released.

The service consists of a metadata store with "harvesters" to collect metadata. The unavailability and modification of metadata automatically triggers harvesters to fill the cache.

The harvesting mechanism starts from a client requesting metadata for a specific package. If the package is unknown, one or more harvesters start collecting metadata from external sources. The harvester for the relevant package management repository obtains the basic package metadata, and another harvester might additionally pull various curated fields for the same package from ClearlyDefined. A scoring mechanism ensures the most reliable metadata is kept. The availability of a source code location (and no scanned license) could trigger the license scanning harvester to download and scan the source code for licenses and other copyright information. If the scanned license does not match the license declared in the originating repository, it can be contested by a harvester that checks consistency between the "declared" and "detected" license fields. When a client later requests the same package, it receives the latest updated metadata.

The user interface allows human inspection and curation of the metadata. A manual change of such metadata can in turn trigger other processes to complete additional fields.

(See the architecture document for a detailed technical description.)

The service requires at least Java 11.

The Flutter web user interface should be first built through the install_ui script in the /ui directory. (This script checks and builds the web application and installs it into the /src/main/resources/static directory of the backend.)

Next, the backend can be built through the Maven mvn clean install command, and yields a "fat" executable jar containing all dependencies.

The backend server starts as a standard Java executable:

java -jar BOM-base-<version>.jar

Some useful command line parameters are:

• --server.port=9090 changes the http port (from default 8080) to 9090.
• --bom-base.scan-licenses=false disables the source code license scanner, reducing the machine load during development and testing.
• --bom-base.harvest-clearly-defined=false disables the clearly-defined lookup

Scanning licenses from source files is delegated to ScanCode Toolkit.

Follow any of these installation instructions to install the command line application.

Then make sure the scancode and extractcode commands are accessible from any directory by updating the path or creating symbolic links in an appropriate location.

After building the project, you can build and run the application using Docker.

Build docker image:

docker build -f docker/Dockerfile -t bom-base .

Run docker container:

docker run -p 8080:8080 bom-base

The latest released version is also available from Docker Hub:

docker run -p 8080:8080 philipssoftware/bom-base:latest

(Empty)

The service exposes a REST API and a user interface on port 8080.

Proper operation can be checked by e.g.:

curl http://localhost:8080/packages/pkg%253Anpm%252Fmarked%25400.7.0 | jq

Harvesters will then start collecting the metadata for the pkg:npm/[email protected] package if its metadata was not yet available. Else it returns the existing metadata for the package.

Unit tests for this Maven are run by the mvn clean test command.

Note that ScanCode Toolkit must be installed for all tests to pass. (See installation instructions)

(BOM-Base is still under development.)

BOM-Base is an experimental tool, and not suited for production.

Submit an issue in the issue tracker of this project.

See LICENSE.md.

• BOM-Base relies for scanning of license information from source code on ScanCode Toolkit.
• Many thanks go out to the nice people at OSS Review Toolkit for their work and being an inspiration to try a different approach for managing bill-of-materials metadata.
• If you are looking for tools to build a bill-of-materials, you might want to have a look at the SPDX-Builder project that can (among various other solutions) use BOM-Base metadata to build rich bill-of-materials documents in the SPDX format.