You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+74-30Lines changed: 74 additions & 30 deletions
Original file line number
Diff line number
Diff line change
@@ -2,13 +2,25 @@
2
2
3
3
### What is AboutCode?
4
4
5
-
AboutCode is a suite of tools to uncover data ... about software:
5
+
AboutCode is a family of FOSS projects to uncover data ... about software:
6
6
7
-
- Where does it come from?
8
-
- What is its license?
9
-
- Is it secure, maintained, well coded?
7
+
- where does the code come from? which software package?
8
+
- what is its license? copyright?
9
+
- is the code vulnerable, maintained, well coded?
10
+
- what are its dependencies, are there vulneribilities/licensing issues?
10
11
11
-
These are important questions when there are millions of free and open source software components and packages available on the web.
12
+
All these are questions that are important to answer: there are millions
13
+
of free and open source software components available on the web for reuse.
14
+
15
+
Knowing where a software package comes from, what its license is and whether it is
16
+
vulnerable should be a problem of the past such that everyone can safely consume
17
+
more free and open source software. We support not only open source software, but
18
+
also open data, generated and curated by our applications.
19
+
20
+
> **_NOTE:_** This is a repository with information on aboutcode open source activities and not
21
+
the actual code repository. See the [projects section](https://github.com/nexB/aboutcode#projects)
22
+
below for links to all the code repositories of our projects with a brief overview and our
23
+
[wiki](https://github.com/nexB/aboutcode/wiki) if you are looking to participate.
12
24
13
25
### Documentation Build Status
14
26
@@ -20,15 +32,9 @@ Our homepage is at http://aboutcode.org
20
32
21
33
Our documentation (in progress) is at https://aboutcode.readthedocs.io/en/latest/
22
34
23
-
AboutCode Documentation Group Email Addresses:
24
-
25
-
- Join: https://groups.io/g/AboutCode/join
26
-
- Post: AboutCode@groups.io
27
-
- Subscribe: AboutCode+subscribe@groups.io
28
-
- Unsubscribe: AboutCode+unsubscribe@groups.io
29
-
- Group Owner: AboutCode+owner@groups.io
30
-
31
-
If you want to get in touch with the team with issues other than documentation, head to the gitter channel [here](https://gitter.im/aboutcode-org/discuss).
35
+
Join the chat online at [app.gitter.im : aboutcode-org#discuss](https://app.gitter.im/#/room/#aboutcode-org_discuss:gitter.im)
36
+
or if you're using the element app set the homeserver to `gitter.im` and then join the [aboutcode-org#discuss](https://matrix.to/#/#aboutcode-org_discuss:gitter.im)
37
+
chatroom. Introduce yourself and start the discussion!
32
38
33
39
Look at our [wiki](https://github.com/nexB/aboutcode/wiki) for information about our participation
34
40
in the GSoC and GSoD programs.
@@ -39,35 +45,73 @@ We have a weekly meeting, see more details [here](https://github.com/nexB/aboutc
39
45
40
46
Each AboutCode project has its own repository:
41
47
42
-
-**[ScanCode Toolkit](https://github.com/nexB/scancode-toolkit)**: a set of code scanning tools to detect the origin and license of code and dependencies. ScanCode now uses a plug-in architecture to run a series of scan-related tools in one process flow. This is the most popular project and is used by 100's of software teams . The lead maintainer is @pombredanne
48
+
-**[ScanCode Toolkit](https://github.com/nexB/scancode-toolkit)**: a set of code scanning tools to detect
49
+
the origin and license of code and dependencies. ScanCode now uses a plug-in architecture to run a series
50
+
of scan-related tools in one process flow. This is the most popular project and is used by 100's of software
51
+
teams . The lead maintainer is @pombredanne
43
52
44
-
-**[Scancode.io](https://github.com/nexB/scancode.io)**: a web-based and
45
-
API to run and review scans in rich scripted ScanPipe pipelines.
53
+
-**[Scancode.io](https://github.com/nexB/scancode.io)**: is a web-based and API to run and review scans in
54
+
rich scripted pipelines, on different kinds of containers, docker images, package archives, manifests etc,
55
+
to get information on licenses, copyrights, source, vulneribilities. The lead maintainer is @tdruez
46
56
47
-
-**[VulnerableCode](https://github.com/nexB/vulnerablecode)**: an emerging server-side application to collect and track known package vulnerabilities.
57
+
-**[VulnerableCode](https://github.com/nexB/vulnerablecode)**: is a web-based API and
58
+
database to collect and track all the known software package vulnerabilities, with
59
+
affected and fixed packages, references and a standalone tool Vulntotal to compare
60
+
this vulneribility information across similar tools. This is maintained by @tg1999 and @pombredanne
48
61
49
-
-**[Scancode Workbench](https://github.com/nexB/scancode-workbench)**: a desktop application (based on Electron) to review the results of a scan and document your conclusions about the origin and license of software components and packages.
62
+
-**[univers](https://github.com/nexB/univers)** is a package to parse and compare
63
+
all the package versions and all the ranges.
50
64
51
-
-**[AboutCode Toolkit](https://github.com/nexB/aboutcode-toolkit)**: a set of command line tools to document the provenance of your code and generate attribution notices. AboutCode Toolkit uses small yaml files to document code provenance inside a codebase. The lead maintainer is @chinyeungli
65
+
-**[purlDB](https://github.com/nexB/purldb)** consists of tools to create and expose
66
+
a database of purls (Package URLs) and also has package data for all of these
67
+
packages created from scans. This is maintained by @jyang
52
68
53
-
-**[TraceCode Toolkit](https://github.com/nexB/tracecode-toolkit)**: a set of tools to trace files from your deployment or distribution packages back to their origin in a development codebase or repository. The primary tool uses strace https://github.com/strace/strace/ to trace system calls on Linux and construct a build graph from syscalls to show which files are used to build a binary. We are contributors to strace. Maintained by @pombredanne
69
+
-**[FetchCode](https://github.com/nexB/fetchcode)** is a library
70
+
to reliably fetch any code via HTTP, FTP and version control systems such as git.
54
71
55
-
-**[container-inspector](https://github.com/nexB/container-inspector)**: a tool to analyze the structure and provenance of software components in Docker images using static analysis. Maintained by @pombredanne
72
+
-**[Scancode Workbench](https://github.com/nexB/scancode-workbench)**: a desktop application
73
+
based on typescript and react to visualize and review scan results from scancode scans.
56
74
57
-
-**[license-expression](https://github.com/nexB/license-expression/)**: a library to parse, analyze, compare and normalize SPDX and SPDX-like license expressions using a boolean logic expression engine. See https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60 to understand what an expression is. See https://github.com/nexB/license-expression for the code. The underlying boolean engine is live at https://github.com/bastikr/boolean.py . Both are co-maintained by @pombredanne
75
+
-**[AboutCode Toolkit](https://github.com/nexB/aboutcode-toolkit)**: a set of command line tools to document
76
+
the provenance of your code and generate attribution notices. AboutCode Toolkit uses small yaml files to
77
+
document code provenance inside a codebase. The lead maintainer is @chinyeungli
58
78
59
-
-**ABCD aka AboutCode Data**: a simple set of conventions to define data structures that all the AboutCode tools can understand and use to exchange data. The details are at [AboutCode Data](https://aboutcode.readthedocs.io/en/latest/aboutcode-data/abcd.html). ABOUT files and ScanCode Toolkit data are examples of this approach. Other projects such as https://libraries.io and and [OSS Review Toolkit](https://github.com/heremaps/oss-review-toolkit) are also using these conventions.
79
+
-**[container-inspector](https://github.com/nexB/container-inspector)**: a tool to analyze the structure
80
+
and provenance of software components in Docker images using static analysis. Maintained by @pombredanne
60
81
61
-
-**[DeltaCode](https://github.com/nexB/deltacode)**: a command line tool to compare scans and determine if and where there are material
62
-
differences that affect licensing.
82
+
-**[python-inspector](https://github.com/nexB/python-inspector)** and **[nuget inspector](https://github.com/nexB/nuget-inspector/)**
83
+
inspects manifests and code to resolve dependencies (vulnerable and non-vulnerable) for
84
+
python and nuget packages respectively.
63
85
86
+
-**[license-expression](https://github.com/nexB/license-expression/)**: a library to parse, analyze, compare
87
+
and normalize SPDX and SPDX-like license expressions using a boolean logic expression engine.
88
+
See https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60 to understand what an expression is.
89
+
See https://github.com/nexB/license-expression for the code. The underlying boolean engine is live at
90
+
https://github.com/bastikr/boolean.py . Both are co-maintained by @pombredanne
91
+
92
+
-**ABCD aka AboutCode Data**: a simple set of conventions to define data structures that all the
93
+
AboutCode tools can understand and use to exchange data. The details are at
ABOUT files and ScanCode Toolkit data are examples of this approach. Other projects such as
96
+
https://libraries.io and and [OSS Review Toolkit](https://github.com/heremaps/oss-review-toolkit)
97
+
are also using these conventions.
98
+
99
+
-**[TraceCode Toolkit](https://github.com/nexB/tracecode-toolkit)**: a set of tools to trace files from your
100
+
deployment or distribution packages back to their origin in a development codebase or repository.
101
+
The primary tool uses strace https://github.com/strace/strace/ to trace system calls on Linux and construct
102
+
a build graph from syscalls to show which files are used to build a binary. We are contributors to strace.
103
+
Maintained by @pombredanne
64
104
65
105
We also co-started and worked closely with other FOSS orgs and projects:
66
106
67
-
-[Package URL](https://github.com/package-url): an emerging standard to reference software packages of all types with simple, readable and
68
-
concise URLs.
107
+
-[Package URL](https://github.com/package-url): a widely used standard to reference software packages of all types with simple,
108
+
readable and concise URLs.
69
109
70
110
-[SPDX](http://SPDX.org): aka. Software Package Data Exchange, a spec to document the origin and licensing of packages.
71
111
72
-
-[ClearlyDefined](https://ClearlyDefined.io): a project to review and help FOSS projects improve their licensing and documentation clarity. This project is incubating
73
-
with https://opensource.org
112
+
-[CycloneDX](https://cyclonedx.org) aka. OWASP CycloneDX is a full-stack
113
+
Bill of Materials (BOM) standard that provides advanced supply chain
114
+
capabilities for cyber risk reduction
115
+
116
+
-[ClearlyDefined](https://ClearlyDefined.io): a project to review and help FOSS projects improve their licensing
117
+
and documentation clarity. This project is incubating with https://opensource.org
0 commit comments