diff --git a/docs/source/aboutcode-project-overview.rst b/docs/source/aboutcode-project-overview.rst index 8db170b..f3da184 100644 --- a/docs/source/aboutcode-project-overview.rst +++ b/docs/source/aboutcode-project-overview.rst @@ -4,13 +4,45 @@ AboutCode Project Overview ========================== -The primary current AboutCode projects are: +Primary AboutCode Projects +-------------------------- .. toctree:: :maxdepth: 2 - aboutcode-projects/scancode-toolkit-project aboutcode-projects/scancodeio-project - aboutcode-projects/scancode-workbench-project aboutcode-projects/vulnerablecode-project + aboutcode-projects/purldb-project + aboutcode-projects/scancode-toolkit-project + aboutcode-projects/scancode-workbench-project + aboutcode-projects/dejacode-project + +Supporting AboutCode Projects +----------------------------- + +.. toctree:: + :maxdepth: 2 + + aboutcode-projects/license-expression-project + aboutcode-projects/scancode-licensedb-project + aboutcode-projects/source-inspector-project + aboutcode-projects/python-inspector-project + aboutcode-projects/scancode-action-project aboutcode-projects/aboutcode-toolkit-project + +Getting Started +--------------- + +.. toctree:: + :maxdepth: 2 + + getting-started/start-scanning-code + + getting-started/manage-license-policies + + getting-started/create-sboms + + getting-started/consume-sboms + + getting-started/cra-compliance + diff --git a/docs/source/aboutcode-projects/dejacode-project.rst b/docs/source/aboutcode-projects/dejacode-project.rst new file mode 100644 index 0000000..8cf2f70 --- /dev/null +++ b/docs/source/aboutcode-projects/dejacode-project.rst @@ -0,0 +1,33 @@ +.. _dejacode-project: + +DejaCode +======== + +`DejaCode `_: is a Cloud +application server that automates open source license compliance and ensures +software supply chain integrity. It is a comprehensive enterprise-level application, +powered by `ScanCode `_, +the industry-leading code scanner. + +* Run scans and track all the open source and third-party products and + components used in your software. +* Apply usage policies at the license or component level, + integrate into ScanCode to ensure compliance. +* Capture software inventories (SBOMs), generate compliance artifacts, and keep + historical data. +* Ensure FOSS compliance with enterprise-grade features and integrations for DevOps + and software systems. +* Scan a software package, simply by providing its Download URL, to get comprehensive + details of its composition and create an SBOM. +* Load software package data into DejaCode with the integration for the open source + ScanCode.io and ScanCode Toolkit projects to create a product’s SBOM. +* Track and report vulnerability tracking and reporting by integrating with the open + source VulnerableCode project. +* Create, publish and share SBOM documents in DejaCode, including detailed attribution + documentation and custom reports in multiple file formats and standards, such as + CycloneDX and SPDX. + +Read more at: https://dejacode.readthedocs.io + +Get the code at: https://github.com/aboutcode-org/dejacode + diff --git a/docs/source/aboutcode-projects/license-expression-project.rst b/docs/source/aboutcode-projects/license-expression-project.rst new file mode 100644 index 0000000..4431bb6 --- /dev/null +++ b/docs/source/aboutcode-projects/license-expression-project.rst @@ -0,0 +1,11 @@ +.. _license-expression-project: + +license-expression +================== + +`license-expression `_: is a +comprehensive utility library to parse, compare, simplify and normalize license +expressions (such as SPDX license expressions) using boolean logic. + + - Read more at: https://github.com/aboutcode-org/license-expression + - Get the code at: https://github.com/aboutcode-org/license-expression/releases diff --git a/docs/source/aboutcode-projects/purldb-project.rst b/docs/source/aboutcode-projects/purldb-project.rst new file mode 100644 index 0000000..7a238a9 --- /dev/null +++ b/docs/source/aboutcode-projects/purldb-project.rst @@ -0,0 +1,26 @@ +.. purldb-project: + +PurlDB +====== + +`PurlDB `_: is a set of +tools to create and expose a database of purls (Package URLs). This project is +sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ and +nexB for https://www.aboutcode.org/ + +The PurlDB tools include: + +* PackageDB that is the reference model (based on ScanCode toolkit) that contains + package data with PURL (Package URLs) being a first class citizen. +* MineCode that contains utilities to mine package repositories +* MatchCode that contains utilities to index package metadata and resources for + matching +* MatchCode.io that provides package matching functionalities for codebases +* ClearCode that contains utilities to mine Clearlydefined for package data +* purldb-toolkit CLI utility and library to use the PurlDB, its API and various + related libraries. + +Read more at: https://purldb.readthedocs.io + +Get the code at: https://github.com/aboutcode-org/purldb + diff --git a/docs/source/aboutcode-projects/python-inspector-project.rst b/docs/source/aboutcode-projects/python-inspector-project.rst new file mode 100644 index 0000000..af4e574 --- /dev/null +++ b/docs/source/aboutcode-projects/python-inspector-project.rst @@ -0,0 +1,27 @@ +.. _python-inspector-project: + +python-inspector +================ + +`python-inspector `_: +is a collection of utilities to: + +- resolve PyPI packages dependencies + +- parse various requirements.txt files and setup.py files as input + for resolving dependencies. + +- parse various manifests and packages files such as + Pipfile, pyproject.toml, poetry.lock and setup.cfg and legacy and + current metadata file formats for eggs, wheels and sdist. These + have not been wired with the command line yet. + +- query PyPI JSON and simple APIs for package information + +It grew out of ScanCode-Toolkit to find and analyze PyPI archives and +installed Python packages and their files. + +The goal of python-inspector is to be a comprehensive library +that can handle every style of Python package layouts, manifests and lockfiles. + + - Get the code at: https://github.com/aboutcode-org/python-inspector diff --git a/docs/source/aboutcode-projects/scancode-action-project.rst b/docs/source/aboutcode-projects/scancode-action-project.rst new file mode 100644 index 0000000..8f0ed5e --- /dev/null +++ b/docs/source/aboutcode-projects/scancode-action-project.rst @@ -0,0 +1,10 @@ +.. _scancode-action-project: + +scancode-action +=============== + +`scancode-action `_: enables +you to run ScanCode.io pipelines from your workflows. + + - Read more at: https://github.com/aboutcode-org/scancode-action + - Get the code at: https://github.com/aboutcode-org/scancode-action/releases diff --git a/docs/source/aboutcode-projects/scancode-licensedb-project.rst b/docs/source/aboutcode-projects/scancode-licensedb-project.rst new file mode 100644 index 0000000..c64962c --- /dev/null +++ b/docs/source/aboutcode-projects/scancode-licensedb-project.rst @@ -0,0 +1,27 @@ +.. _scancode-licensedb-project: + +ScanCode LicenseDB +================== + +`ScanCode LicenseDB `_: +is a large free and open database of software licenses, in particular open-source +software licenses, with over 2300 curated licenses texts and their metadata. + +LicenseDB is built from the ScanCode Toolkit license dataset. ScanCode Toolkit +is a leading open source code scanner and license detection engine. + +LicenseDB is an essential reference license resource for license compliance and +SBOMs. LicenseDB includes all the SPDX and OSI licenses together with an extended +curated collection of other licenses and license metadata. These licenses are +carefully reviewed and curated and continuously updated by an open community of +contributors. + +LicenseDB is available as a web site at: https://scancode-licensedb.aboutcode.org/ +You can search the licenses by name, key and other attributes. The web site is updated +daily by a GitHub action with updates from scancode-toolkit develop. + +LicenseDB is also available as a JSON or YAML API and a git repository +making it easy to reuse and integrate in tools that need a database of reference +software licenses. + + - Get the code at: https://github.com/aboutcode-org/scancode-licensedb diff --git a/docs/source/aboutcode-projects/source-inspector-project.rst b/docs/source/aboutcode-projects/source-inspector-project.rst new file mode 100644 index 0000000..55d9dea --- /dev/null +++ b/docs/source/aboutcode-projects/source-inspector-project.rst @@ -0,0 +1,11 @@ +.. _source-inspector-project: + +source-inspector +================ + +`source-inspector `_: +is a collection of utilities to inspect and analyze source code and collect interesting +data using various tools such as code symbols, strings and comments. +This is also a ScanCode-Toolkit plugin. + + - Get the code at: https://github.com/aboutcode-org/source-inspector diff --git a/docs/source/getting-started/consume-sboms.rst b/docs/source/getting-started/consume-sboms.rst new file mode 100644 index 0000000..d58a2b3 --- /dev/null +++ b/docs/source/getting-started/consume-sboms.rst @@ -0,0 +1,98 @@ +.. _consume-sboms: + +Use AboutCode to consume SBOMs from your suppliers +================================================== + +You can use **ScanCode.io** to consume SBOMs from your suppliers. ScanCode.io will +identify all the licenses associated with your codebase resources, highlighting the ones +that need attention based on your policies. ScanCode.io also identifies and highlights +software vulnerabilities. + +You can also use **DejaCode** to consume SBOMs from your suppliers, generally in the +context of an SBOM that you intend to use in one of your own products. + +1. Install AboutCode Projects +----------------------------- + +**Install ScanCode.io** + +https://scancodeio.readthedocs.io/en/latest/installation.html + +**Install DejaCode.** + +https://dejacode.readthedocs.io/en/latest/installation.html + +**Setup your own Dataspace in DejaCode** + +https://dejacode.readthedocs.io/en/latest/dataspace.html + +.. note:: + Not ready to install your own instance of DejaCode? Consider taking a look at + the DejaCode public evaluation site to take a test drive, and if you have specific + requirements, you may also request a private SaaS evaluation dataspace. + See https://public.dejacode.com/account/register/ + +Configure DejaCode to integrate with ScanCode.io. See + +https://dejacode.readthedocs.io/en/latest/application-settings.html#scancodeio + +**Install PurlDB** + +https://aboutcode.readthedocs.io/projects/PURLdb/en/latest/getting-started/install.html + +Configure DejaCode to integrate with your PurlDB instance. See: + +https://dejacode.readthedocs.io/en/latest/application-settings.html#purldb + +.. note:: + Not ready to install your own instance of PurlDB? You can configure DejaCode to + integrate with the public version at https://public.purldb.io/ + +**Install VulnerableCode** + +https://vulnerablecode.readthedocs.io/en/latest/installation.html#installation + +Configure Dejacode to integrate with your Vulnerablecode instance. + +https://dejacode.readthedocs.io/en/latest/dataspace.html#enable-vulnerablecodedb-service + +.. note:: + Not ready to install your own instance of VulnerableCode? You can configure DejaCode + to integrate with the public version at https://public.vulnerablecode.io/ + + +2. Load Package Data from SBOMs to ScanCode.io +---------------------------------------------- + +Create a new Project in ScanCode.io . + +https://scancodeio.readthedocs.io/en/latest/user-interface.html#creating-a-new-project + +Load package data from one or more SBOMs to your Project using the load_sbom Pipeline. + +https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html#load-sbom + +Review the details in your ScanCode.io project. + +Export the results in the appropriate format to share with your team, such as CycloneDX +and SPDX SBOMs. + +https://scancodeio.readthedocs.io/en/latest/output-files.html#output-files + + +3. Import SBOM data to a DejaCode Product +----------------------------------------- + +Create a new Product in DejaCode for comprehensive analysis and action. + +https://dejacode.readthedocs.io/en/latest/tutorial-1.html + +Load an SBOM to your Dejacode Product. + +https://dejacode.readthedocs.io/en/latest/tutorial-5-sboms.html#load-an-sbom-to-your-product + +Review and edit your Product in DejaCode. Enrich the data as needed. + +Generate Attribution and SBOMs from DejaCode Products. + +https://dejacode.readthedocs.io/en/latest/tutorial-5-sboms.html#tutorial-5-working-with-sboms-in-a-product diff --git a/docs/source/getting-started/cra-compliance.rst b/docs/source/getting-started/cra-compliance.rst new file mode 100644 index 0000000..4d44eb0 --- /dev/null +++ b/docs/source/getting-started/cra-compliance.rst @@ -0,0 +1,11 @@ +.. _cra-compliance: + +Use AboutCode to support CRA compliance +======================================= + +The AboutCode stack provides you with the tools you need to support CRA Compliance +activities, including code scanning and analysis, license identification, vulnerability +management, and SBOM generation. + +https://dejacode.readthedocs.io/en/latest/reference-3-cravex.html + diff --git a/docs/source/getting-started/create-sboms.rst b/docs/source/getting-started/create-sboms.rst new file mode 100644 index 0000000..460a925 --- /dev/null +++ b/docs/source/getting-started/create-sboms.rst @@ -0,0 +1,97 @@ +.. _create-sboms: + +Use AboutCode to create SBOMs for your products +=============================================== +You can use **ScanCode.io** to create an SBOM from a scanned package, codebase or +product. ScanCode.io will identify all the licenses associated with the scanned object, +highlighting the licenses that need attention based on your policies. You can also use +ScanCode.io to identify software vulnerabilities. With its library of standard and +custom pipelines, ScanCode.io performs a deep and comprehensive scanning to meet your +analysis requirements. + +If you need to edit the results of a scan, **Dejacode** will enable you to import those +results into a product, review your product inventories, assert license conclusions, +and record your analysis and actions related to any licenses that require attention. +You can also record your analysis and actions related to any software vulnerabilities +that have been discovered. You can then use DejaCode to create SBOMs for your products. + +1. Install AboutCode Projects +----------------------------- + +**Install DejaCode.** + +https://dejacode.readthedocs.io/en/latest/installation.html + +**Setup your own Dataspace in DejaCode** + +https://dejacode.readthedocs.io/en/latest/dataspace.html + +.. note:: + Not ready to install your own instance of DejaCode? Consider taking a look at + the DejaCode public evaluation site to take a test drive, and if you have specific + requirements, you may also request a private SaaS evaluation dataspace. + See https://public.dejacode.com/account/register/ + +**Install ScanCode.io** + +https://scancodeio.readthedocs.io/en/latest/installation.html + +Configure DejaCode to integrate with ScanCode.io. See + +https://dejacode.readthedocs.io/en/latest/application-settings.html#scancodeio + +**Install PurlDB** + +https://aboutcode.readthedocs.io/projects/PURLdb/en/latest/getting-started/install.html + +Configure DejaCode to integrate with your PurlDB instance. See: + +https://dejacode.readthedocs.io/en/latest/application-settings.html#purldb + +.. note:: + Not ready to install your own instance of PurlDB? You can configure DejaCode to + integrate with the public version at https://public.purldb.io/ + +**Install VulnerableCode** + +https://vulnerablecode.readthedocs.io/en/latest/installation.html#installation + +Configure Dejacode to integrate with your Vulnerablecode instance. + +https://dejacode.readthedocs.io/en/latest/dataspace.html#enable-vulnerablecodedb-service + +.. note:: + Not ready to install your own instance of VulnerableCode? You can configure DejaCode + to integrate with the public version at https://public.vulnerablecode.io/ + + +2. Scan software using ScanCode.io +---------------------------------- + +Create new Projects in ScanCode.io to scan packages, codebases, or products. You can +also load inventories (scan results) created by ScanCode-Toolkit. You can specify +the exact pipelines to use for particular platforms and technologies. + +https://scancodeio.readthedocs.io/en/latest/user-interface.html#creating-a-new-project + +Export the scan results in the appropriate format to share with your team. ScanCode.io +will report details of the identified packages if you choose to export CycloneDX +and SPDX SBOMs. + +https://scancodeio.readthedocs.io/en/latest/output-files.html#output-files + + +3. Import scan results to DejaCode products +------------------------------------------- + +Create new Products in DejaCode for comprehensive analysis and action. DejaCode allows +you and your team members to edit a Product inventory as needed to assert license +choices and conclusions, and to document your vulnerability status. + +https://dejacode.readthedocs.io/en/latest/tutorial-1.html + +Generate Attribution and SBOMs from DejaCode Products. You can generate SBOMs in both +SPDX and CycloneDX (inlucing VEX) formats. + +https://dejacode.readthedocs.io/en/latest/tutorial-5-sboms.html#tutorial-5-working-with-sboms-in-a-product + diff --git a/docs/source/getting-started/manage-license-policies.rst b/docs/source/getting-started/manage-license-policies.rst new file mode 100644 index 0000000..1e42b7e --- /dev/null +++ b/docs/source/getting-started/manage-license-policies.rst @@ -0,0 +1,59 @@ +.. _manage-license-policies: + +Use AboutCode to manage and communicate license policies +======================================================== + +You can define the Usage Policy choices that may apply to various application object +types such as Licenses, Components, Subcomponent relationships, and Packages. +For each application object type, you can specify the Usage Policy label text, icon, +and icon color for each relevant policy position that you need to communicate to your +users. Examples include Recommended, Approved, Restricted, and Prohibited. + +1. Install AboutCode Projects +----------------------------- + +**Install DejaCode.** + +https://dejacode.readthedocs.io/en/latest/installation.html + +**Setup your own Dataspace in DejaCode** + +https://dejacode.readthedocs.io/en/latest/dataspace.html + +.. note:: + Not ready to install your own instance of DejaCode? Consider taking a look at + the DejaCode public evaluation site to take a test drive, and if you have specific + requirements, you may also request a private SaaS evaluation dataspace. + See https://public.dejacode.com/account/register/ + +2. Create Your Usage Policies +----------------------------- + +You can copy the Reference data usage policies to your dataspace for a quick start. +Modify them to fit your specific requirements. + +For details, see https://dejacode.readthedocs.io/en/latest/howto-1.html + +Assign your usage policies to licenses. For details, see +https://dejacode.readthedocs.io/en/latest/howto-1.html#assign-your-usage-policies-to-licenses + +Make your usage policies visible to DejaCode users. For details, see +https://dejacode.readthedocs.io/en/latest/howto-1.html#make-usage-policies-visible-to-your-users + +3. Export Your Usage Policies +----------------------------- + +You can export your DejaCode Usage Policies to a file that can be used in other +applications. + +https://dejacode.readthedocs.io/en/latest/howto-1.html#export-license-policy-definitions + +You can use your Usage Policies in **ScanCode-Toolkit** with the "--license-policy" +Post-Scan option + +https://scancode-toolkit.readthedocs.io/en/stable/cli-reference/list-options.html#all-post-scan-options + +You can use your Usage Policies in **ScanCode.io** with a "policies.yml" file + +https://scancodeio.readthedocs.io/en/latest/tutorial_license_policies.html#license-policies-and-compliance-alerts + diff --git a/docs/source/getting-started/start-scanning-code.rst b/docs/source/getting-started/start-scanning-code.rst new file mode 100644 index 0000000..8513607 --- /dev/null +++ b/docs/source/getting-started/start-scanning-code.rst @@ -0,0 +1,46 @@ +.. _start-scanning-code: + +Use AboutCode to Start Scanning Code +==================================== +You can use **ScanCode.io** to identify all the licenses associated with a package, +codebase, or container. ScanCode.io will also identify software vulnerabilities. With its +library of standard and custom pipelines, ScanCode.io performs deep and comprehensive +scanning to meet your analysis requirements. + +1. Install ScanCode.io +---------------------- + +**Install ScanCode.io** + +https://scancodeio.readthedocs.io/en/latest/installation.html + +Configure ScanCode.io to identify software vulnerabilities. + +https://scancodeio.readthedocs.io/en/latest/tutorial_vulnerablecode_integration.html#configure-vulnerablecode-integration + + +2. Scan Software Using ScanCode.io +---------------------------------- + +Create a new Project in ScanCode.io to scan a Docker image. + +https://scancodeio.readthedocs.io/en/latest/tutorial_web_ui_analyze_docker_image.html + +You now know how to use the **analyze_docker_image** pipeline! + +3. Review Scan Results Using ScanCode.io +---------------------------------------- + +https://scancodeio.readthedocs.io/en/latest/tutorial_web_ui_review_scan_results.html + +4. Analyze a Codebase from the Command Line +------------------------------------------- + +Thinking about integrating ScanCode.io into your build system? You can scan a +codebase from the command line. + +https://scancodeio.readthedocs.io/en/latest/tutorial_cli_analyze_codebase.html + +You now know how to use the **scan_codebase** pipeline, and you are ready to explore +the many other features of ScanCode.io! +