From c0589eb6c83dc6eb415ed5d0d4f1fdb569eb4f0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Tue, 5 Dec 2023 10:46:39 +0100 Subject: [PATCH] docs(README): document how to obtain current SBOM (#3504) --- README.md | 3 +- apidom.spdx.yaml | 335 ----------------------------------------------- 2 files changed, 2 insertions(+), 336 deletions(-) delete mode 100644 apidom.spdx.yaml diff --git a/README.md b/README.md index 13b2a738c2..aa9889b2c7 100644 --- a/README.md +++ b/README.md @@ -550,5 +550,6 @@ for declaring copyright and licensing for software projects. ## Software Bill Of Materials (SBOM) -Software Bill Of materials is available in [apidom.spdx.yaml](https://github.com/swagger-api/apidom/blob/main/apidom.spdx.yaml) using [SPDX](https://spdx.dev/) language. +Software Bill Of materials is available in this repository [dependency graph](https://github.com/swagger-api/apidom/network/dependencies). +Click on `Export SBOM` button to download the SBOM in [SPDX format](https://spdx.dev/). diff --git a/apidom.spdx.yaml b/apidom.spdx.yaml deleted file mode 100644 index fb88f31802..0000000000 --- a/apidom.spdx.yaml +++ /dev/null @@ -1,335 +0,0 @@ ---- -SPDXID: ApiDOM-SBOM -spdxVersion: SPDX-2.2 -name: ApiDOM-SBOM -licenseListVersion: 3.16 -dataLicense: CC0-1.0 -comment: | - This document was created by manual inspection of node_modules after ApiDOM installation on production dependencies. - This SBOM excludes folowing packages: apidom-ls, apidom-playground. - The reason of exclusion is that apidom-playground is an internal developer tool not intended to be - distributed to the users. apidom-ls is still in heavy development and it's dependencies might significantly change. -creationInfo: - comment: This is Software Bill of Materials (SBOM) generated for ApiDOM. - created: 2022-02-11T11:00:00Z - creators: - - "Organization: SmartBear Software, Inc. (info@smartbear.com)" - - "Person: Vladimír Gorej (vladimir.gorej@gmail.com)" - - "Tool: Manual inspection of node_modules" - licenseListVersion: 3.9 -documentDescribes: - - SPDXRef-ApiDOM -documentNamespace: 9c185864-d85b-4b7e-a782-9128a77585f6 - -packages: - # direct dependencies - - SPDXID: SPDXRef-ApiDOM - name: ApiDOM - copyrightText: Copyright 2020 SmartBear Software Inc. - description: Semantic parser for API specifications - licenseComments: See NOTICE file for more information - downloadLocation: https://github.com/orgs/swagger-api/packages?repo_name=apidom - filesAnalyzed: false - homepage: https://github.com/swagger-api/apidom - licenseDeclared: Apache-2.0 - licenseConcluded: Apache-2.0 - originator: "Organization: SmartBear Software Inc. (info@smartbear.com)" - versionInfo: 0.17.0 - - - SPDXID: SPDXRef-stampit - name: stampit - copyrightText: Copyright (c) 2013 Eric Elliott. - description: Create objects from reusable, composable behaviors. - downloadLocation: https://registry.npmjs.org/stampit/-/stampit-4.3.2.tgz - filesAnalyzed: false - homepage: https://stampit.js.org/ - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Eric Elliott (https://ericelliottjs.com)" - versionInfo: 4.3.2 - - - SPDXID: SPDXRef-minim - name: minim - copyrightText: Copyright (c) 2014 Stephen Mizell - description: A library for interacting with JSON through Refract elements - downloadLocation: https://registry.npmjs.org/@types/ramda/-/ramda-0.27.64.tgz - filesAnalyzed: false - homepage: https://registry.npmjs.org/@types/ramda/-/ramda-0.27.64.tgz - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Scott O'Malley ()" - versionInfo: 0.27.64 - - - SPDXID: SPDXRef-ramda - name: ramda - copyrightText: Copyright (c) 2013-2018 Scott Sauyet and Michael Hurley - description: A practical functional library for JavaScript programmers. - downloadLocation: https://registry.npmjs.org/ramda/-/ramda-0.28.0.tgz - filesAnalyzed: false - homepage: https://ramdajs.com/ - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Scott Sauyet and Michael Hurley ()" - versionInfo: 0.28.0 - - - SPDXID: "SPDXRef-@types/ramda" - name: "@types/ramda" - copyrightText: Copyright (c) Microsoft Corporation. - description: TypeScript definitions for ramda - downloadLocation: https://registry.npmjs.org/ramda/-/ramda-0.28.0.tgz - filesAnalyzed: false - homepage: https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/ramda - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Scott Sauyet and Michael Hurley ()" - versionInfo: 0.28.0 - - - SPDXID: SPDXRef-ramda-adjunct - name: ramda-adjunct - copyrightText: Copyright 2017-2019 Vladimír Gorej and the Ramda Adjunct contributors - description: Ramda Adjunct is the most popular and most comprehensive set of utilities for use with Ramda, providing a variety of useful, well tested functions with excellent documentation. - downloadLocation: https://registry.npmjs.org/ramda-adjunct/-/ramda-adjunct-3.0.0.tgz - filesAnalyzed: false - homepage: https://github.com/char0n/ramda-adjunct - licenseDeclared: BSD-3-Clause - licenseConcluded: BSD-3-Clause - originator: "Person: Vladimír Gorej (vladimir.gorej@gmail.com)" - versionInfo: 3.0.0 - - - SPDXID: SPDXRef-unraw - name: unraw - copyrightText: Copyright (c) 2019 Ian Sanders - description: Convert raw escape sequences to their respective characters (undo String.raw). - downloadLocation: https://registry.npmjs.org/unraw/-/unraw-2.0.1.tgz - filesAnalyzed: false - homepage: https://github.com/iansan5653/unraw - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Ian Sanders ()" - versionInfo: 2.0.1 - - - SPDXID: "SPDXRef-@babel/runtime-corejs3" - name: "@babel/runtime-corejs3" - copyrightText: Copyright (c) 2014-present Sebastian McKenzie and other contributors - description: Convert raw escape sequences to their respective characters (undo String.raw). - downloadLocation: https://registry.npmjs.org/@babel/runtime-corejs3/-/runtime-corejs3-7.17.2.tgz - filesAnalyzed: false - homepage: https://github.com/babel/babel/tree/master/packages/babel-runtime-corejs3 - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Organization: The Babel Team (https://babel.dev/team)" - versionInfo: 7.17.2 - - - SPDXID: SPDXRef-tree-sitter - name: tree-sitter - copyrightText: Copyright (c) 2014 maxbrunsfeld - description: Incremental parsers for node - downloadLocation: https://registry.npmjs.org/tree-sitter/-/tree-sitter-0.20.0.tgz - filesAnalyzed: false - homepage: https://tree-sitter.github.io/ - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Max Brunsfeld ()" - versionInfo: 0.20.0 - - - SPDXID: SPDXRef-tree-sitter-json - name: tree-sitter-json - copyrightText: Copyright (c) 2014 maxbrunsfeld - description: JSON grammar for tree-sitter - downloadLocation: https://registry.npmjs.org/tree-sitter-json/-/tree-sitter-json-0.19.0.tgz - filesAnalyzed: false - homepage: https://tree-sitter.github.io/ - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Max Brunsfeld ()" - versionInfo: 0.19.0 - - - SPDXID: SPDXRef-tree-sitter-yaml - name: tree-sitter-yaml - copyrightText: Copyright (c) Ika (https://github.com/ikatyang) - description: YAML grammar for tree-sitter - downloadLocation: https://registry.npmjs.org/tree-sitter-yaml/-/tree-sitter-yaml-0.5.0.tgz - filesAnalyzed: false - homepage: https://tree-sitter.github.io/ - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Ika (ikatyang@gmail.com)" - versionInfo: 0.5.0 - - - SPDXID: SPDXRef-web-tree-sitter - name: web-sitter-json - copyrightText: Copyright (c) 2018-2021 Max Brunsfeld - description: Tree-sitter bindings for the web - downloadLocation: https://registry.npmjs.org/web-sitter-json/-/web-sitter-json-0.20.3.tgz - filesAnalyzed: false - homepage: https://github.com/tree-sitter/tree-sitter/tree/master/lib/binding_web - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Max Brunsfeld ()" - versionInfo: 0.20.3 - - - SPDXID: SPDXRef-axios - name: axios - copyrightText: Copyright (c) 2014-present Matt Zabriskie - description: Promise based HTTP client for the browser and node.js - downloadLocation: https://registry.npmjs.org/axios/-/axios-0.25.0.tgz - filesAnalyzed: false - homepage: https://github.com/axios/axios - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Matt Zabriskie ()" - versionInfo: 0.25.0 - - - SPDXID: SPDXRef-short-unique-id - name: short-unique-id - copyrightText: Copyright (c) 2018-2021 Short Unique ID Contributors - description: Generate random or sequential UUID of any length - downloadLocation: https://registry.npmjs.org/short-unique-id/-/short-unique-id-4.4.4.tgz - filesAnalyzed: false - homepage: https://github.com/simplyhexagonal/short-unique-id - licenseDeclared: Apache-2.0 - licenseConcluded: Apache-2.0 - originator: "Person: Jean Lescure (https://jeanlescure.io)" - versionInfo: 4.4.4 - - # transitive dependencies - - SPDXID: SPDXRef-lodash - name: lodash - copyrightText: Copyright OpenJS Foundation and other contributors - description: Lodash modular utilities. - downloadLocation: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz - filesAnalyzed: false - homepage: https://lodash.com/docs/4.17.15 - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: John-David Dalton (john.david.dalton@gmail.com)" - versionInfo: 4.17.21 - - - SPDXID: SPDXRef-core-js-pure - name: core-js-pure - copyrightText: Copyright (c) 2014-2022 Denis Pushkarev - description: Standard library - downloadLocation: https://registry.npmjs.org/core-js-pure/-/core-js-pure-3.20.2.tgz - filesAnalyzed: false - homepage: https://github.com/zloirock/core-js/tree/master/packages/core-js-pure - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Denis Pushkarev ()" - versionInfo: 3.20.2 - - - SPDXID: SPDXRef-regenerator-runtime - name: regenerator-runtime - copyrightText: Copyright (c) 2014-present, Facebook, Inc. - description: Runtime for Regenerator-compiled generator and async functions. - downloadLocation: https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.9.tgz - filesAnalyzed: false - homepage: https://github.com/facebook/regenerator/tree/main/packages/runtime - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Ben Newman (bn@cs.stanford.edu)" - versionInfo: 0.13.9 - - - SPDXID: SPDXRef-nan - name: nan - copyrightText: Copyright (c) 2018 NAN contributors - description: "Native Abstractions for Node.js: C++ header for Node 0.8 -> 14 compatibility" - downloadLocation: https://registry.npmjs.org/nan/-/nan-2.15.0.tgz - filesAnalyzed: false - homepage: https://github.com/nodejs/nan - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Rod Vagg (r@va.gg)" - versionInfo: 2.15.0 - - - SPDXID: SPDXRef-follow-redirects - name: follow-redirects - copyrightText: Copyright 2014–present Olivier Lalonde , James Talmage , Ruben Verborgh - description: HTTP and HTTPS modules that follow redirects. - downloadLocation: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.7.tgz - filesAnalyzed: false - homepage: https://github.com/follow-redirects/follow-redirects - licenseDeclared: MIT - licenseConcluded: MIT - originator: "Person: Ruben Verborgh (ruben@verborgh.org)" - versionInfo: 1.14.7 - -relationships: - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-stampit - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-minim - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-ramda - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-@types/ramda - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-ramda-adjunct - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-unraw - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-@babel/runtime-corejs3 - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-tree-sitter - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-tree-sitter-json - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-tree-sitter-yaml - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-web-tree-sitter - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-axios - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-ApiDOM - relatedSpdxElement: SPDXRef-short-unique-id - relationshipType: DEPENDS_ON - - - spdxElementId: SPDXRef-lodash - relatedSpdxElement: SPDXRef-minim - relationshipType: DEPENDENCY_OF - - - spdxElementId: SPDXRef-core-js-pure - relatedSpdxElement: SPDXRef-@babel/runtime-corejs3 - relationshipType: DEPENDENCY_OF - - - spdxElementId: SPDXRef-regenerator-runtime - relatedSpdxElement: SPDXRef-@babel/runtime-corejs3 - relationshipType: DEPENDENCY_OF - - - spdxElementId: SPDXRef-nan - relatedSpdxElement: SPDXRef-tree-sitter - relationshipType: DEPENDENCY_OF - - - spdxElementId: SPDXRef-nan - relatedSpdxElement: SPDXRef-tree-sitter-yaml - relationshipType: DEPENDENCY_OF - - - spdxElementId: SPDXRef-nan - relatedSpdxElement: SPDXRef-tree-sitter-json - relationshipType: DEPENDENCY_OF - - - spdxElementId: SPDXRef-follow-redirects - relatedSpdxElement: SPDXRef-axios - relationshipType: DEPENDENCY_OF