├── img ├── output.png ├── console.png ├── trustier128x128.png └── trustier512x512.png ├── tests ├── cli.rs └── _TESTDATA_ │ ├── small.cyclonedx.json │ └── trustier.small.cyclonedx.json ├── .github └── workflows │ ├── rust.yml │ └── release.yml ├── .gitignore ├── Cargo.toml ├── .devcontainer └── devcontainer.json ├── CONTRIBUTING.md ├── CODE_OF_CONDUCT.md ├── .vscode └── launch.json ├── src ├── models.rs └── main.rs ├── README.md └── LICENSE /img/output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devops-kung-fu/trustier/HEAD/img/output.png -------------------------------------------------------------------------------- /img/console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devops-kung-fu/trustier/HEAD/img/console.png -------------------------------------------------------------------------------- /img/trustier128x128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devops-kung-fu/trustier/HEAD/img/trustier128x128.png -------------------------------------------------------------------------------- /img/trustier512x512.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devops-kung-fu/trustier/HEAD/img/trustier512x512.png -------------------------------------------------------------------------------- /tests/cli.rs: -------------------------------------------------------------------------------- 1 | 2 | use anyhow::{Ok, Result}; 3 | use assert_cmd::Command; 4 | use predicates::prelude::*; 5 | 6 | #[test] 7 | fn dies_no_args() -> Result<()> { 8 | let mut cmd = Command::cargo_bin("trustier")?; 9 | cmd.assert() 10 | .failure() 11 | .stderr(predicate::str::contains("Usage")); 12 | Ok(()) 13 | } -------------------------------------------------------------------------------- /.github/workflows/rust.yml: -------------------------------------------------------------------------------- 1 | name: Rust 2 | 3 | on: 4 | push: 5 | 6 | env: 7 | CARGO_TERM_COLOR: always 8 | 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | 13 | steps: 14 | - uses: actions/checkout@v4 15 | - name: Build 16 | run: cargo build --verbose 17 | - name: Run tests 18 | run: cargo test --verbose 19 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | output/ 6 | 7 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 8 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 9 | Cargo.lock 10 | 11 | # These are backup files generated by rustfmt 12 | **/*.rs.bk 13 | 14 | # MSVC Windows builds of rustc generate these, which store debugging information 15 | *.pdb 16 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "trustier" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | [dependencies] 7 | serde = { version = "1.0", features = ["derive"] } 8 | serde_json = "1.0" 9 | clap = { version = "4.5.17", features = ["derive"] } 10 | cyclonedx-bom = "0.7.0" 11 | surf = "2.3.2" 12 | async-std = "1.13.0" 13 | packageurl = "0.4.1" 14 | colored = "2.1.0" 15 | clap-stdin = "0.5.1" 16 | 17 | [dev-dependencies] 18 | anyhow = "1.0.89" 19 | assert_cmd = "2.0.16" 20 | predicates = "3.1.2" 21 | pretty_assertions = "1.4.1" -------------------------------------------------------------------------------- /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "trustier", 3 | "image": "mcr.microsoft.com/devcontainers/rust:1-1-bookworm", 4 | "features": { 5 | "ghcr.io/devcontainers-contrib/features/starship:1": {}, 6 | "ghcr.io/dasiths/devcontainer-features/syft:1": {} 7 | }, 8 | "customizations": { 9 | "vscode": { 10 | "settings": { 11 | "window.menuBarVisibility": "classic", 12 | "workbench.activityBar.location": "top", 13 | "debug.toolBarLocation": "docked", 14 | "workbench.colorTheme": "Default Light Modern", 15 | "editor.useTabStops": true, 16 | "editor.formatOnSave": true, 17 | "editor.formatOnPaste": true, 18 | "git.autofetch": true, 19 | "[markdown]": { 20 | "editor.defaultFormatter": "esbenp.prettier-vscode" 21 | } 22 | }, 23 | "extensions": [ 24 | "GitHub.copilot", 25 | "github.vscode-pull-request-github", 26 | "github.vscode-github-actions", 27 | "oderwat.indent-rainbow", 28 | "quicktype.quicktype", 29 | "ahebrank.yaml2json", 30 | "Gruntfuggly.todo-tree", 31 | "esbenp.prettier-vscode", 32 | "BarbossHack.crates-io" 33 | ] 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /tests/_TESTDATA_/small.cyclonedx.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", 3 | "bomFormat": "CycloneDX", 4 | "specVersion": "1.4", 5 | "serialNumber": "urn:uuid:e3528bf6-0024-4fbd-9223-f4760bbf54bb", 6 | "version": 1, 7 | "metadata": { 8 | "timestamp": "2024-09-02T17:26:27Z", 9 | "tools": [{ "vendor": "dkfm" }], 10 | "component": { "bom-ref": "af63bd4c8601b7ff", "type": "file", "name": "." } 11 | }, 12 | "components": [ 13 | { 14 | "name": "qs", 15 | "type": "library", 16 | "purl": "pkg:npm/qs@6.7.0" 17 | }, 18 | { 19 | "name": "notifyjs", 20 | "type": "library", 21 | "purl": "pkg:npm/notifyjs@3.0.0" 22 | }, 23 | { 24 | "name": "pycrypto", 25 | "type": "library", 26 | "purl": "pkg:pypi/pycrypto@2.6.1" 27 | }, 28 | { 29 | "name": "pycryptopayapi", 30 | "type": "library", 31 | "purl": "pkg:pypi/pycryptopayapi@0.0.8" 32 | }, 33 | { 34 | "name": "body-parser", 35 | "type": "library", 36 | "purl": "pkg:npm/body-parser@1.19.0" 37 | }, 38 | { 39 | "name": "qs", 40 | "type": "library", 41 | "purl": "pkg:npm/qs@6.7.0", 42 | "description": "This duplicate package is here to test the deduplication feature." 43 | } 44 | ] 45 | } 46 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | We use GitHub to host code, to track issues and feature requests, as well as accept pull requests. 4 | 5 | ## Use GPG to Sign Your Commits 6 | 7 | Only pull requests that have been signed will be accepted. 8 | 9 | If you are using the devcontainer included in this repostiory, enabled signed commits in your GitHub [Codespaces settings](https://docs.github.com/en/codespaces/managing-your-codespaces/managing-gpg-verification-for-github-codespaces). 10 | 11 | For more information on setting up a GPG key when not using [Codespaces](https://github.com/features/codespaces) see the instructions [here](https://help.github.com/en/articles/managing-commit-signature-verification). 12 | 13 | ## Contributing Code 14 | 15 | All Code Changes Happen Through Pull Requests. Pull requests are the best way to propose changes to the codebase. We actively welcome your pull requests and review regularly. We practice a single trunk development method. 16 | 17 | - Fork the repo and create your branch from main. 18 | - All code requires test coverage. 100% coverage is the target (try your best!). Add new or modify existing tests. 19 | - If you've changed APIs, update the documentation. 20 | - Ensure the tests pass. 21 | - Make sure your code lints (go) 22 | - Create a pull request. 23 | 24 | ## Licensing Notes 25 | 26 | Any contributions you make will be under the MIT Software License. When you submit code changes, your submissions are understood to be under the same MIT License that covers the project. Feel free to contact the maintainers if that's a concern. 27 | 28 | ## Development 29 | 30 | ### Overview 31 | 32 | In order to use contribute and participate in the development this application you'll need to have an updated rust environment. Before you start, please view the [Contributing](CONTRIBUTING.md) and [Code of Conduct](CODE_OF_CONDUCT.md) files in this repository. 33 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | permissions: 4 | contents: write 5 | 6 | on: 7 | push: 8 | tags: 9 | - v[0-9]+.* 10 | 11 | env: 12 | CARGO_TERM_COLOR: always 13 | 14 | jobs: 15 | create-release: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - uses: actions/checkout@v4 19 | - uses: taiki-e/create-gh-release-action@v1 20 | with: 21 | # (optional) Path to changelog. 22 | #changelog: CHANGELOG.md 23 | # (required) GitHub token for creating GitHub Releases. 24 | token: ${{ secrets.GITHUB_TOKEN }} 25 | 26 | upload-assets: 27 | needs: create-release 28 | strategy: 29 | matrix: 30 | include: 31 | - target: x86_64-unknown-linux-gnu 32 | os: ubuntu-latest 33 | - target: x86_64-apple-darwin 34 | os: macos-latest 35 | - target: x86_64-pc-windows-msvc 36 | os: windows-latest 37 | runs-on: ${{ matrix.os }} 38 | steps: 39 | - uses: actions/checkout@v4 40 | - uses: taiki-e/upload-rust-binary-action@v1 41 | with: 42 | # (required) Comma-separated list of binary names (non-extension portion of filename) to build and upload. 43 | # Note that glob pattern is not supported yet. 44 | bin: trustier 45 | # (optional) Target triple, default is host triple. 46 | # This is optional but it is recommended that this always be set to 47 | # clarify which target you are building for if macOS is included in 48 | # the matrix because GitHub Actions changed the default architecture 49 | # of macos-latest since macos-14. 50 | target: ${{ matrix.target }} 51 | # (optional) On which platform to distribute the `.tar.gz` file. 52 | # [default value: unix] 53 | # [possible values: all, unix, windows, none] 54 | tar: unix 55 | # (optional) On which platform to distribute the `.zip` file. 56 | # [default value: windows] 57 | # [possible values: all, unix, windows, none] 58 | zip: windows 59 | # (required) GitHub token for uploading assets to GitHub Releases. 60 | token: ${{ secrets.GITHUB_TOKEN }} 61 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | - Using welcoming and inclusive language 18 | - Being respectful of differing viewpoints and experiences 19 | - Gracefully accepting constructive criticism 20 | - Focusing on what is best for the community 21 | - Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | - The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | - Trolling, insulting/derogatory comments, and personal or political attacks 28 | - Public or private harassment 29 | - Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | - Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | -------------------------------------------------------------------------------- /tests/_TESTDATA_/trustier.small.cyclonedx.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", 3 | "bomFormat": "CycloneDX", 4 | "specVersion": "1.4", 5 | "serialNumber": "urn:uuid:e3528bf6-0024-4fbd-9223-f4760bbf54ab", 6 | "version": 1, 7 | "metadata": { 8 | "timestamp": "2024-09-02T17:26:27Z", 9 | "tools": [{ "vendor": "anchore", "name": "syft", "version": "1.11.1" }], 10 | "component": { "bom-ref": "af63bd4c8601b7f1", "type": "file", "name": "." } 11 | }, 12 | "components": [ 13 | { 14 | "bom-ref": "pkg:github/actions/checkout@v4?package-id=217f4cdc0ac4dc24", 15 | "type": "library", 16 | "name": "actions/checkout", 17 | "version": "v4", 18 | "cpe": "cpe:2.3:a:actions\\/checkout:actions\\/checkout:v4:*:*:*:*:*:*:*", 19 | "purl": "pkg:github/actions/checkout@v4", 20 | "properties": [ 21 | { 22 | "name": "syft:package:foundBy", 23 | "value": "github-actions-usage-cataloger" 24 | }, 25 | { "name": "syft:package:type", "value": "github-action" }, 26 | { 27 | "name": "syft:location:0:path", 28 | "value": "/.github/workflows/rust.yml" 29 | } 30 | ] 31 | }, 32 | { 33 | "bom-ref": "pkg:cargo/aead@0.3.2?package-id=797b9b64a142d76c", 34 | "type": "library", 35 | "name": "aead", 36 | "version": "0.3.2", 37 | "cpe": "cpe:2.3:a:aead:aead:0.3.2:*:*:*:*:*:*:*", 38 | "purl": "pkg:cargo/aead@0.3.2", 39 | "externalReferences": [ 40 | { 41 | "url": "registry+https://github.com/rust-lang/crates.io-index", 42 | "type": "distribution" 43 | } 44 | ], 45 | "properties": [ 46 | { 47 | "name": "syft:package:foundBy", 48 | "value": "rust-cargo-lock-cataloger" 49 | }, 50 | { "name": "syft:package:language", "value": "rust" }, 51 | { "name": "syft:package:type", "value": "rust-crate" }, 52 | { 53 | "name": "syft:package:metadataType", 54 | "value": "rust-cargo-lock-entry" 55 | }, 56 | { "name": "syft:location:0:path", "value": "/Cargo.lock" } 57 | ] 58 | }, 59 | { 60 | "bom-ref": "pkg:cargo/aes@0.6.0?package-id=15ef11e1e4c65f15", 61 | "type": "library", 62 | "name": "aes", 63 | "version": "0.6.0", 64 | "cpe": "cpe:2.3:a:aes:aes:0.6.0:*:*:*:*:*:*:*", 65 | "purl": "pkg:cargo/aes@0.6.0", 66 | "externalReferences": [ 67 | { 68 | "url": "registry+https://github.com/rust-lang/crates.io-index", 69 | "type": "distribution" 70 | } 71 | ], 72 | "properties": [ 73 | { 74 | "name": "syft:package:foundBy", 75 | "value": "rust-cargo-lock-cataloger" 76 | }, 77 | { "name": "syft:package:language", "value": "rust" }, 78 | { "name": "syft:package:type", "value": "rust-crate" }, 79 | { 80 | "name": "syft:package:metadataType", 81 | "value": "rust-cargo-lock-entry" 82 | }, 83 | { "name": "syft:location:0:path", "value": "/Cargo.lock" } 84 | ] 85 | }, 86 | { 87 | "bom-ref": "pkg:cargo/aes-gcm@0.8.0?package-id=5396c925e2835637", 88 | "type": "library", 89 | "name": "aes-gcm", 90 | "version": "0.8.0", 91 | "cpe": "cpe:2.3:a:aes-gcm:aes-gcm:0.8.0:*:*:*:*:*:*:*", 92 | "purl": "pkg:cargo/aes-gcm@0.8.0", 93 | "externalReferences": [ 94 | { 95 | "url": "registry+https://github.com/rust-lang/crates.io-index", 96 | "type": "distribution" 97 | } 98 | ], 99 | "properties": [ 100 | { 101 | "name": "syft:package:foundBy", 102 | "value": "rust-cargo-lock-cataloger" 103 | }, 104 | { "name": "syft:package:language", "value": "rust" }, 105 | { "name": "syft:package:type", "value": "rust-crate" }, 106 | { 107 | "name": "syft:package:metadataType", 108 | "value": "rust-cargo-lock-entry" 109 | }, 110 | { "name": "syft:location:0:path", "value": "/Cargo.lock" } 111 | ] 112 | } 113 | ] 114 | } 115 | -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "type": "lldb", 9 | "request": "launch", 10 | "name": "Debug executable 'trustier' (very small SBOM), output to file", 11 | "cargo": { 12 | "args": [ 13 | "build", 14 | "--bin=trustier", 15 | "--package=trustier" 16 | ], 17 | "filter": { 18 | "name": "trustier", 19 | "kind": "bin" 20 | } 21 | }, 22 | "args": [ 23 | "--output-file=output/trustier.json", 24 | "./tests/_TESTDATA_/small.cyclonedx.json" 25 | ], 26 | "cwd": "${workspaceFolder}" 27 | }, 28 | { 29 | "type": "lldb", 30 | "request": "launch", 31 | "name": "Debug unit tests in executable 'trustier' (very small SBOM)", 32 | "cargo": { 33 | "args": [ 34 | "test", 35 | "--no-run", 36 | "--bin=trustier", 37 | "--package=trustier" 38 | ], 39 | "filter": { 40 | "name": "trustier", 41 | "kind": "bin" 42 | } 43 | }, 44 | "args": [ 45 | "./tests/_TESTDATA_/small.cyclonedx.json" 46 | ], 47 | "cwd": "${workspaceFolder}" 48 | }, 49 | { 50 | "type": "lldb", 51 | "request": "launch", 52 | "name": "Debug executable 'trustier' (railsgoat)", 53 | "cargo": { 54 | "args": [ 55 | "build", 56 | "--bin=trustier", 57 | "--package=trustier" 58 | ], 59 | "filter": { 60 | "name": "trustier", 61 | "kind": "bin" 62 | } 63 | }, 64 | "args": [ 65 | "./tests/_TESTDATA_/railsgoat.cyclonedx.json" 66 | ], 67 | "cwd": "${workspaceFolder}" 68 | }, 69 | { 70 | "type": "lldb", 71 | "request": "launch", 72 | "name": "Debug unit tests in executable 'trustier' (railsgoat)", 73 | "cargo": { 74 | "args": [ 75 | "test", 76 | "--no-run", 77 | "--bin=trustier", 78 | "--package=trustier" 79 | ], 80 | "filter": { 81 | "name": "trustier", 82 | "kind": "bin" 83 | } 84 | }, 85 | "args": [ 86 | "./tests/_TESTDATA_/railsgoat.cyclonedx.json" 87 | ], 88 | "cwd": "${workspaceFolder}" 89 | }, 90 | { 91 | "type": "lldb", 92 | "request": "launch", 93 | "name": "Debug executable 'trustier' (juiceshop)", 94 | "cargo": { 95 | "args": [ 96 | "build", 97 | "--bin=trustier", 98 | "--package=trustier" 99 | ], 100 | "filter": { 101 | "name": "trustier", 102 | "kind": "bin" 103 | } 104 | }, 105 | "args": [ 106 | "./tests/_TESTDATA_/juiceshop.cyclonedx.json" 107 | ], 108 | "cwd": "${workspaceFolder}" 109 | }, 110 | { 111 | "type": "lldb", 112 | "request": "launch", 113 | "name": "Debug executable 'trustier' (juiceshop), output to file", 114 | "cargo": { 115 | "args": [ 116 | "build", 117 | "--bin=trustier", 118 | "--package=trustier" 119 | ], 120 | "filter": { 121 | "name": "trustier", 122 | "kind": "bin" 123 | } 124 | }, 125 | "args": [ 126 | "--output-file=output/trustier.json", 127 | "./tests/_TESTDATA_/juiceshop.cyclonedx.json" 128 | ], 129 | "cwd": "${workspaceFolder}" 130 | }, 131 | { 132 | "type": "lldb", 133 | "request": "launch", 134 | "name": "Debug unit tests in executable 'trustier' (juiceshop)", 135 | "cargo": { 136 | "args": [ 137 | "test", 138 | "--no-run", 139 | "--bin=trustier", 140 | "--package=trustier" 141 | ], 142 | "filter": { 143 | "name": "trustier", 144 | "kind": "bin" 145 | } 146 | }, 147 | "args": [ 148 | "./tests/_TESTDATA_/juiceshop.cyclonedx.json" 149 | ], 150 | "cwd": "${workspaceFolder}" 151 | }, 152 | { 153 | "type": "lldb", 154 | "request": "launch", 155 | "name": "Debug executable 'trustier' (trustier)", 156 | "cargo": { 157 | "args": [ 158 | "build", 159 | "--bin=trustier", 160 | "--package=trustier" 161 | ], 162 | "filter": { 163 | "name": "trustier", 164 | "kind": "bin" 165 | } 166 | }, 167 | "args": [ 168 | "./tests/_TESTDATA_/trustier.cyclonedx.json" 169 | ], 170 | "cwd": "${workspaceFolder}" 171 | }, 172 | { 173 | "type": "lldb", 174 | "request": "launch", 175 | "name": "Debug executable 'trustier' (trustier), output to file", 176 | "cargo": { 177 | "args": [ 178 | "build", 179 | "--bin=trustier", 180 | "--package=trustier" 181 | ], 182 | "filter": { 183 | "name": "trustier", 184 | "kind": "bin" 185 | } 186 | }, 187 | "args": [ 188 | "--output-file=output/trustier.json", 189 | "./tests/_TESTDATA_/trustier.cyclonedx.json" 190 | ], 191 | "cwd": "${workspaceFolder}" 192 | }, 193 | { 194 | "type": "lldb", 195 | "request": "launch", 196 | "name": "Debug unit tests in executable 'trustier' (trustier)", 197 | "cargo": { 198 | "args": [ 199 | "test", 200 | "--no-run", 201 | "--bin=trustier", 202 | "--package=trustier" 203 | ], 204 | "filter": { 205 | "name": "trustier", 206 | "kind": "bin" 207 | } 208 | }, 209 | "args": [ 210 | "./tests/_TESTDATA_/trustier.cyclonedx.json" 211 | ], 212 | "cwd": "${workspaceFolder}" 213 | }, 214 | ] 215 | } -------------------------------------------------------------------------------- /src/models.rs: -------------------------------------------------------------------------------- 1 | // Example code that deserializes and serializes the model. 2 | // extern crate serde; 3 | // #[macro_use] 4 | // extern crate serde_derive; 5 | // extern crate serde_json; 6 | // 7 | // use models::TrustyResponse; 8 | // 9 | // fn main() { 10 | // let json = r#"{"answer": 42}"#; 11 | // let model: TrustyResponse = serde_json::from_str(&json).unwrap(); 12 | // } 13 | 14 | use serde::{Deserialize, Serialize}; 15 | 16 | #[derive(Serialize, Deserialize, Debug)] 17 | pub struct TrustyResponse { 18 | #[serde(skip_serializing_if = "Option::is_none")] 19 | id: Option, 20 | 21 | #[serde(skip_serializing_if = "Option::is_none")] 22 | status: Option, 23 | 24 | #[serde(skip_serializing_if = "Option::is_none")] 25 | status_code: Option, 26 | 27 | #[serde(skip_serializing_if = "Option::is_none")] 28 | name: Option, 29 | 30 | #[serde(rename = "type", skip_serializing_if = "Option::is_none")] 31 | ty: Option, 32 | 33 | #[serde(skip_serializing_if = "Option::is_none")] 34 | version: Option, 35 | 36 | #[serde(skip_serializing_if = "Option::is_none")] 37 | version_date: Option, 38 | 39 | #[serde(skip_serializing_if = "Option::is_none")] 40 | author: Option, 41 | 42 | #[serde(skip_serializing_if = "Option::is_none")] 43 | author_email: Option, 44 | 45 | #[serde(skip_serializing_if = "Option::is_none")] 46 | pub purl: Option, 47 | 48 | #[serde(skip_serializing_if = "Option::is_none")] 49 | package_description: Option, 50 | 51 | #[serde(skip_serializing_if = "Option::is_none")] 52 | repo_description: Option, 53 | 54 | #[serde(skip_serializing_if = "Option::is_none")] 55 | origin: Option, 56 | 57 | #[serde(skip_serializing_if = "Option::is_none")] 58 | stargazers_count: Option, 59 | 60 | #[serde(skip_serializing_if = "Option::is_none")] 61 | watchers_count: Option, 62 | 63 | #[serde(skip_serializing_if = "Option::is_none")] 64 | home_page: Option, 65 | 66 | #[serde(skip_serializing_if = "Option::is_none")] 67 | has_issues: Option, 68 | 69 | #[serde(skip_serializing_if = "Option::is_none")] 70 | has_projects: Option, 71 | 72 | #[serde(skip_serializing_if = "Option::is_none")] 73 | has_downloads: Option, 74 | 75 | #[serde(skip_serializing_if = "Option::is_none")] 76 | forks_count: Option, 77 | 78 | #[serde(skip_serializing_if = "Option::is_none")] 79 | archived: Option, 80 | 81 | #[serde(skip_serializing_if = "Option::is_none")] 82 | is_deprecated: Option, 83 | 84 | #[serde(skip_serializing_if = "Option::is_none")] 85 | disabled: Option, 86 | 87 | #[serde(skip_serializing_if = "Option::is_none")] 88 | open_issues_count: Option, 89 | 90 | #[serde(skip_serializing_if = "Option::is_none")] 91 | visibility: Option, 92 | 93 | #[serde(skip_serializing_if = "Option::is_none")] 94 | default_branch: Option, 95 | 96 | #[serde(skip_serializing_if = "Option::is_none")] 97 | repository_id: Option, 98 | 99 | #[serde(skip_serializing_if = "Option::is_none")] 100 | repository_name: Option, 101 | 102 | #[serde(skip_serializing_if = "Option::is_none")] 103 | contributor_count: Option, 104 | 105 | #[serde(skip_serializing_if = "Option::is_none")] 106 | public_repos: Option, 107 | 108 | #[serde(skip_serializing_if = "Option::is_none")] 109 | public_gists: Option, 110 | 111 | #[serde(skip_serializing_if = "Option::is_none")] 112 | followers: Option, 113 | 114 | #[serde(skip_serializing_if = "Option::is_none")] 115 | following: Option, 116 | 117 | #[serde(skip_serializing_if = "Option::is_none")] 118 | owner: Option, 119 | 120 | #[serde(skip_serializing_if = "Option::is_none")] 121 | contributors: Option>, 122 | 123 | #[serde(skip_serializing_if = "Option::is_none")] 124 | last_update: Option, 125 | 126 | #[serde(skip_serializing_if = "Option::is_none")] 127 | scores: Option, 128 | 129 | #[serde(skip_serializing_if = "Option::is_none")] 130 | malicious: Option, 131 | } 132 | 133 | #[derive(Serialize, Deserialize, Debug)] 134 | pub struct Owner { 135 | #[serde(skip_serializing_if = "Option::is_none")] 136 | id: Option, 137 | 138 | #[serde(skip_serializing_if = "Option::is_none")] 139 | author: Option, 140 | 141 | #[serde(skip_serializing_if = "Option::is_none")] 142 | author_email: Option, 143 | 144 | #[serde(skip_serializing_if = "Option::is_none")] 145 | login: Option, 146 | 147 | #[serde(skip_serializing_if = "Option::is_none")] 148 | avatar_url: Option, 149 | 150 | #[serde(skip_serializing_if = "Option::is_none")] 151 | gravatar_id: Option, 152 | 153 | #[serde(skip_serializing_if = "Option::is_none")] 154 | url: Option, 155 | 156 | #[serde(skip_serializing_if = "Option::is_none")] 157 | html_url: Option, 158 | 159 | #[serde(skip_serializing_if = "Option::is_none")] 160 | company: Option, 161 | 162 | #[serde(skip_serializing_if = "Option::is_none")] 163 | blog: Option, 164 | 165 | #[serde(skip_serializing_if = "Option::is_none")] 166 | location: Option, 167 | 168 | #[serde(skip_serializing_if = "Option::is_none")] 169 | email: Option, 170 | 171 | #[serde(skip_serializing_if = "Option::is_none")] 172 | hireable: Option, 173 | 174 | #[serde(skip_serializing_if = "Option::is_none")] 175 | twitter_username: Option, 176 | 177 | #[serde(skip_serializing_if = "Option::is_none")] 178 | public_repos: Option, 179 | 180 | #[serde(skip_serializing_if = "Option::is_none")] 181 | public_gists: Option, 182 | 183 | #[serde(skip_serializing_if = "Option::is_none")] 184 | followers: Option, 185 | 186 | #[serde(skip_serializing_if = "Option::is_none")] 187 | following: Option, 188 | 189 | #[serde(skip_serializing_if = "Option::is_none")] 190 | scores: Option, 191 | } 192 | 193 | #[derive(Serialize, Deserialize, Debug)] 194 | pub struct Scores { 195 | // Add fields here if needed, all wrapped in Option 196 | } 197 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 | ⚠️ Warning: Stacklok has chosen to retire Insights (previously known as Trusty) on June 8, 2025. As a result, this codebase will no longer function after that date. 3 |
4 |
5 | 6 | ![trustier](img/trustier128x128.png) 7 | 8 | # trustier 9 | 10 | [![](https://img.shields.io/badge/Status-ALPHA-red)](CONTRIBUTING.md) 11 | ![GitHub release (latest by date)](https://img.shields.io/github/v/release/devops-kung-fu/trustier) 12 | 13 | ## Table of Contents 14 | 15 | - [Overview](#overview) 16 | - [The importance of undetstanding supply chain attacks](#the-importance-of-undetstanding-supply-chain-attacks) 17 | - [Installation](#installation) 18 | - [Example Usage](#example-usage) 19 | - [Application Arguments](#application-arguments) 20 | - [Troubleshooting](#troubleshooting) 21 | - [Credits](#credits) 22 | 23 | ## Overview 24 | 25 | `trustier` is an application that parses a CycloneDX Software Bill of Materials and provides activity, provenance, and activity information from [Trusty](https://trustypkg.dev). 26 | 27 | The team at [Stacklok](https://stacklok.com) created [Trusty](https://trustypkg.dev) which they describe as a search for an open source packages to understand their trustworthiness based on activity, provenance, and more. Brought to you by the founders of projects such as Kubernetes and Sigstore. 28 | 29 | ![](img/console.png) 30 | 31 | ## The importance of understanding supply chain attacks 32 | 33 | Supply chain attacks are crucial to address because they can compromise the integrity and security of software systems, even if an organization's proprietary code is secure. These attacks exploit vulnerabilities in the software supply chain, which includes third-party libraries, development tools, and other components used to build, test, deploy, and operate systems. [1] 34 | 35 | Trustworthiness of a component is essential because it helps to identify that a component has not been tampered with or compromised by malicious actors. If a component is not trustworthy, it can introduce vulnerabilities or backdoors into the software system, potentially leading to data breaches, system failures, or other security incidents. 36 | 37 | Provenance, or the origin and history of a component, is important because it helps establish trust in the component. By understanding where a component came from and how it was developed, organizations can better assess its trustworthiness and potential risks. Components with a well-documented and transparent provenance are generally more trustworthy than those with an unknown or obscure origin. 38 | 39 | Reputation is also a crucial factor in assessing the trustworthiness of a component. Components developed and maintained by reputable organizations or individuals with a track record of producing high-quality and secure software are generally more trustworthy than those from unknown or untrusted sources. 40 | 41 | To mitigate the risks of supply chain attacks and ensure the trustworthiness of components, organizations should adopt a comprehensive software supply chain security strategy. This strategy may include: 42 | 43 | - Regularly updating and auditing third-party components for vulnerabilities and potential threats. 44 | 45 | - Monitoring development environments and ensuring secure software development practices are followed by all components used. 46 | 47 | - Implementing package origin controls to prevent dependency substitution attacks. 48 | 49 | - Conducting thorough vetting and risk assessments of third-party components before integrating them into the software system. 50 | 51 | - Maintaining a software bill of materials (SBOM) to track the provenance and dependencies of all components used in the software system. 52 | 53 | - Establishing trusted sources and repositories for obtaining components and updates. 54 | 55 | - Implementing secure software delivery pipelines and continuous integration/continuous deployment (CI/CD) processes to ensure the integrity of the software supply chain. 56 | 57 | By prioritizing the trustworthiness, provenance, and reputation of components, organizations can significantly reduce the risks of supply chain attacks and enhance the overall security and integrity of their software systems. 58 | 59 | Sources: 60 | 61 | [1] Anti-patterns for security testing - DevOps Guidance [https://docs.aws.amazon.com/wellarchitected/latest/devops-guidance/anti-patterns-for-security-testing.html](https://docs.aws.amazon.com/wellarchitected/latest/devops-guidance/anti-patterns-for-security-testing.html) 62 | 63 | ## Installation 64 | 65 | Binaries for Mac, Linux, and Windows Platforms are available from the [Releases](https://github.com/devops-kung-fu/trustier/releases) section of this repsitory. Download, unpack, and use! 66 | 67 | **NOTE:** The application has not been tested on all platforms and architectures. If you experience any issues, please report them [here](https://github.com/devops-kung-fu/trustier/issues) 68 | 69 | ## Application Arguments 70 | 71 | | Argument | Description | 72 | | ---------------------- | ----------------------------------------------------------------------------------------------------------- | 73 | | `` | The SBOM (Software Bill of Materials) to process. This argument is required. | 74 | | `--ratelimit ` | Optional time in milliseconds to pause before making requests to https://trustypkg.dev. Defaults to 500 ms. | 75 | | `--output_file ` | Optional file name to write JSON output to. If not provided, output will be printed to the console. | 76 | 77 | ## Example Usage 78 | 79 | ```sh 80 | # Required sbom argument 81 | trustier sbom_file.json 82 | 83 | # Optional ratelimit argument 84 | trustier sbom_file.json --ratelimit 1000 85 | 86 | # Optional output_file argument 87 | trustier sbom_file.json --output_file output.json 88 | 89 | # Takes an SBOM from STDIN and outputs JSON without any console decoration 90 | cat sbom_file.json | trustier - 91 | 92 | ``` 93 | 94 | ![](img/output.png) 95 | 96 | ## Troubleshooting 97 | 98 | During testing, we found there were some required fields needed in the SBOM in order to be considered valid. Ensure at minimum you have the following fields in your components: 99 | 100 | - `name` 101 | - `purl` 102 | - `type` 103 | 104 | **NOTE:** `trustier` does not support SPDX formatted SBOMS at this time. 105 | 106 | ## Credits 107 | 108 | A big thank-you to our friends at [Flaticon](https://www.flaticon.com) for the `trustier` logo. 109 | -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | pub mod models; 2 | 3 | use async_std::task; 4 | use clap::Parser; 5 | use clap_stdin::FileOrStdin; 6 | use colored::*; 7 | use cyclonedx_bom::prelude::*; 8 | use models::TrustyResponse; 9 | use packageurl::PackageUrl; 10 | use serde_json; 11 | use std::{fs, str::FromStr}; 12 | use surf; 13 | 14 | macro_rules! conditional_println { 15 | ($flag:expr, $($arg:tt)*) => { 16 | if $flag { 17 | println!($($arg)*); 18 | } 19 | }; 20 | } 21 | 22 | #[derive(Debug, Parser)] 23 | #[command(author, version, about)] 24 | struct Args { 25 | //The SBOM to process 26 | #[arg(required = true)] 27 | sbom: FileOrStdin, 28 | 29 | //The time to pause before requests to https://trustypkg.dev 30 | #[arg(short, long, default_value_t = 500)] 31 | ratelimit: u64, 32 | 33 | //Optional file name to write json output to 34 | #[arg(short, long, required = false)] 35 | output_file: Option, 36 | } 37 | 38 | fn main() { 39 | let args = Args::parse(); 40 | 41 | if args.sbom.is_file() { 42 | print_ascii_header(); 43 | } 44 | 45 | if args.sbom.is_file() { 46 | conditional_println!(args.sbom.is_file(), "* Reading SBOM from file..."); 47 | } else { 48 | conditional_println!(args.sbom.is_file(), "* Reading SBOM from stdin..."); 49 | } 50 | 51 | let file_contents = match args.sbom.clone().into_reader() { 52 | Ok(contents) => { 53 | conditional_println!(args.sbom.is_file(), "* Loaded SBOM from input..."); 54 | contents 55 | } 56 | Err(err) => { 57 | eprintln!("Error reading input: {}", err); 58 | return; 59 | } 60 | }; 61 | 62 | let bom = match Bom::parse_from_json_v1_5(file_contents) { 63 | Ok(bom) => bom, 64 | Err(e) => { 65 | eprintln!("Error parsing SBOM: {}", e); 66 | return; 67 | } 68 | }; 69 | 70 | if !bom.validate().passed() { 71 | eprintln!("* Provided input is not a valid SBOM"); 72 | return; 73 | } 74 | 75 | conditional_println!(args.sbom.is_file(), "* SBOM is valid"); 76 | if let Some(serial_number) = &bom.serial_number { 77 | conditional_println!( 78 | args.sbom.is_file(), 79 | "* SBOM Serial Number: {}", 80 | serial_number 81 | ); 82 | } 83 | if let Err(err) = task::block_on(process_sbom(&bom, &args)) { 84 | eprintln!("Error processing SBOM (process_sbom): {}", err); 85 | } 86 | 87 | conditional_println!(args.sbom.is_file(), "{}", "DONE!".green().bold()); 88 | } 89 | 90 | fn print_ascii_header() { 91 | let header = r#" 92 | __ __ _ 93 | / /_______ _____ / /_(_)__ ____ 94 | / __/ __/ // (_- Result<(), Box> { 109 | let mut collected_purls = if let Some(components) = &bom.components { 110 | components 111 | .0 112 | .iter() 113 | .filter_map(|component| component.purl.as_ref().map(|purl| purl.to_string())) 114 | .collect::>() 115 | } else { 116 | Vec::new() 117 | }; 118 | 119 | let original_count = collected_purls.len(); 120 | filter_purls(&mut collected_purls); 121 | 122 | if collected_purls.len() < original_count { 123 | conditional_println!( 124 | args.sbom.is_file(), 125 | "* {}", 126 | r"trustypkg.dev only supports the following ecosystems: pypi, npm, crates, maven, go" 127 | .red() 128 | ); 129 | conditional_println!( 130 | args.sbom.is_file(), 131 | r"* Removed {} out of {} detected Purls in the SBOM. Some may have been duplicates or unsupported ecosystems.", 132 | original_count - collected_purls.len(), 133 | original_count 134 | ); 135 | } 136 | 137 | if collected_purls.len() != 0 { 138 | conditional_println!( 139 | args.sbom.is_file(), 140 | "* Processing {} Purls...\n", 141 | collected_purls.len() 142 | ); 143 | } else { 144 | conditional_println!(args.sbom.is_file(), "* Nothing to do...\n") 145 | } 146 | 147 | let responses = fetch_purl_bodies(&collected_purls, args.ratelimit).await?; 148 | 149 | if let Some(of) = args.output_file.clone() { 150 | let json = serde_json::to_string_pretty(&responses).unwrap(); 151 | let of_clone = of.clone(); 152 | let output_path = std::path::Path::new(&of_clone); 153 | if let Some(parent_dir) = output_path.parent() { 154 | if !parent_dir.exists() { 155 | fs::create_dir_all(parent_dir).expect("Failed to create output directory"); 156 | } 157 | } 158 | fs::write(of_clone, json).expect("Failed to write JSON to file"); 159 | conditional_println!(args.sbom.is_file(), "\n* JSON written to file: {}\n", of); 160 | } else { 161 | let json = serde_json::to_string_pretty(&responses).unwrap(); 162 | println!("{}", json); 163 | } 164 | 165 | Ok(()) 166 | } 167 | 168 | async fn fetch_purl_bodies( 169 | purls: &[String], 170 | rate_limit_ms: u64, 171 | ) -> Result, Box> { 172 | let mut responses: Vec = Vec::new(); 173 | 174 | for p in purls { 175 | match PackageUrl::from_str(p) { 176 | Ok(purl) => { 177 | let url = format!( 178 | "https://api.trustypkg.dev/v2/pkg?package_name={}&package_type={}", 179 | purl.name(), 180 | purl.ty() 181 | ); 182 | 183 | // eprintln!("* Fetching information for {}:", p); 184 | 185 | let body = surf::get(url).await?.body_string().await?; 186 | 187 | // eprintln!("* Response: {}", body); 188 | 189 | match serde_json::from_str::(&body) { 190 | Ok(mut resp) => { 191 | //println!("Success: {:?}", resp); 192 | resp.purl = Some(p.to_string()); 193 | responses.push(resp); 194 | } 195 | Err(e) => { 196 | eprintln!("Failed to parse JSON: {}", e); 197 | } 198 | } 199 | 200 | task::sleep(std::time::Duration::from_millis(rate_limit_ms)).await; 201 | } 202 | Err(err) => eprintln!("Error parsing PURL: {}", err), 203 | } 204 | } 205 | 206 | Ok(responses) 207 | } 208 | 209 | fn filter_purls(collected_purls: &mut Vec) { 210 | let allowed_types = ["pypi", "npm", "cargo", "maven", "go"]; 211 | 212 | collected_purls.retain(|purl_str| match PackageUrl::from_str(purl_str) { 213 | Ok(purl) => allowed_types.contains(&purl.ty()), 214 | Err(_) => false, 215 | }); 216 | 217 | collected_purls.sort(); 218 | collected_purls.dedup(); 219 | 220 | //if any of the collected purls contain the word cargo, replace it with crates (trustypkg.dev only supports crates, sboms contain cargo) 221 | for purl in collected_purls.iter_mut() { 222 | if purl.contains("cargo") { 223 | *purl = purl.replace("cargo", "crates"); 224 | } 225 | } 226 | } 227 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | # Mozilla Public License Version 2.0 2 | 3 | 1. Definitions 4 | 5 | --- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | 88 | --- 89 | 90 | 2.1. Grants 91 | 92 | Each Contributor hereby grants You a world-wide, royalty-free, 93 | non-exclusive license: 94 | 95 | (a) under intellectual property rights (other than patent or trademark) 96 | Licensable by such Contributor to use, reproduce, make available, 97 | modify, display, perform, distribute, and otherwise exploit its 98 | Contributions, either on an unmodified basis, with Modifications, or 99 | as part of a Larger Work; and 100 | 101 | (b) under Patent Claims of such Contributor to make, use, sell, offer 102 | for sale, have made, import, and otherwise transfer either its 103 | Contributions or its Contributor Version. 104 | 105 | 2.2. Effective Date 106 | 107 | The licenses granted in Section 2.1 with respect to any Contribution 108 | become effective for each Contribution on the date the Contributor first 109 | distributes such Contribution. 110 | 111 | 2.3. Limitations on Grant Scope 112 | 113 | The licenses granted in this Section 2 are the only rights granted under 114 | this License. No additional rights or licenses will be implied from the 115 | distribution or licensing of Covered Software under this License. 116 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 117 | Contributor: 118 | 119 | (a) for any code that a Contributor has removed from Covered Software; 120 | or 121 | 122 | (b) for infringements caused by: (i) Your and any other third party's 123 | modifications of Covered Software, or (ii) the combination of its 124 | Contributions with other software (except as part of its Contributor 125 | Version); or 126 | 127 | (c) under Patent Claims infringed by Covered Software in the absence of 128 | its Contributions. 129 | 130 | This License does not grant any rights in the trademarks, service marks, 131 | or logos of any Contributor (except as may be necessary to comply with 132 | the notice requirements in Section 3.4). 133 | 134 | 2.4. Subsequent Licenses 135 | 136 | No Contributor makes additional grants as a result of Your choice to 137 | distribute the Covered Software under a subsequent version of this 138 | License (see Section 10.2) or under the terms of a Secondary License (if 139 | permitted under the terms of Section 3.3). 140 | 141 | 2.5. Representation 142 | 143 | Each Contributor represents that the Contributor believes its 144 | Contributions are its original creation(s) or it has sufficient rights 145 | to grant the rights to its Contributions conveyed by this License. 146 | 147 | 2.6. Fair Use 148 | 149 | This License is not intended to limit any rights You have under 150 | applicable copyright doctrines of fair use, fair dealing, or other 151 | equivalents. 152 | 153 | 2.7. Conditions 154 | 155 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 156 | in Section 2.1. 157 | 158 | 3. Responsibilities 159 | 160 | --- 161 | 162 | 3.1. Distribution of Source Form 163 | 164 | All distribution of Covered Software in Source Code Form, including any 165 | Modifications that You create or to which You contribute, must be under 166 | the terms of this License. You must inform recipients that the Source 167 | Code Form of the Covered Software is governed by the terms of this 168 | License, and how they can obtain a copy of this License. You may not 169 | attempt to alter or restrict the recipients' rights in the Source Code 170 | Form. 171 | 172 | 3.2. Distribution of Executable Form 173 | 174 | If You distribute Covered Software in Executable Form then: 175 | 176 | (a) such Covered Software must also be made available in Source Code 177 | Form, as described in Section 3.1, and You must inform recipients of 178 | the Executable Form how they can obtain a copy of such Source Code 179 | Form by reasonable means in a timely manner, at a charge no more 180 | than the cost of distribution to the recipient; and 181 | 182 | (b) You may distribute such Executable Form under the terms of this 183 | License, or sublicense it under different terms, provided that the 184 | license for the Executable Form does not attempt to limit or alter 185 | the recipients' rights in the Source Code Form under this License. 186 | 187 | 3.3. Distribution of a Larger Work 188 | 189 | You may create and distribute a Larger Work under terms of Your choice, 190 | provided that You also comply with the requirements of this License for 191 | the Covered Software. If the Larger Work is a combination of Covered 192 | Software with a work governed by one or more Secondary Licenses, and the 193 | Covered Software is not Incompatible With Secondary Licenses, this 194 | License permits You to additionally distribute such Covered Software 195 | under the terms of such Secondary License(s), so that the recipient of 196 | the Larger Work may, at their option, further distribute the Covered 197 | Software under the terms of either this License or such Secondary 198 | License(s). 199 | 200 | 3.4. Notices 201 | 202 | You may not remove or alter the substance of any license notices 203 | (including copyright notices, patent notices, disclaimers of warranty, 204 | or limitations of liability) contained within the Source Code Form of 205 | the Covered Software, except that You may alter any license notices to 206 | the extent required to remedy known factual inaccuracies. 207 | 208 | 3.5. Application of Additional Terms 209 | 210 | You may choose to offer, and to charge a fee for, warranty, support, 211 | indemnity or liability obligations to one or more recipients of Covered 212 | Software. However, You may do so only on Your own behalf, and not on 213 | behalf of any Contributor. You must make it absolutely clear that any 214 | such warranty, support, indemnity, or liability obligation is offered by 215 | You alone, and You hereby agree to indemnify every Contributor for any 216 | liability incurred by such Contributor as a result of warranty, support, 217 | indemnity or liability terms You offer. You may include additional 218 | disclaimers of warranty and limitations of liability specific to any 219 | jurisdiction. 220 | 221 | 4. Inability to Comply Due to Statute or Regulation 222 | 223 | --- 224 | 225 | If it is impossible for You to comply with any of the terms of this 226 | License with respect to some or all of the Covered Software due to 227 | statute, judicial order, or regulation then You must: (a) comply with 228 | the terms of this License to the maximum extent possible; and (b) 229 | describe the limitations and the code they affect. Such description must 230 | be placed in a text file included with all distributions of the Covered 231 | Software under this License. Except to the extent prohibited by statute 232 | or regulation, such description must be sufficiently detailed for a 233 | recipient of ordinary skill to be able to understand it. 234 | 235 | 5. Termination 236 | 237 | --- 238 | 239 | 5.1. The rights granted under this License will terminate automatically 240 | if You fail to comply with any of its terms. However, if You become 241 | compliant, then the rights granted under this License from a particular 242 | Contributor are reinstated (a) provisionally, unless and until such 243 | Contributor explicitly and finally terminates Your grants, and (b) on an 244 | ongoing basis, if such Contributor fails to notify You of the 245 | non-compliance by some reasonable means prior to 60 days after You have 246 | come back into compliance. Moreover, Your grants from a particular 247 | Contributor are reinstated on an ongoing basis if such Contributor 248 | notifies You of the non-compliance by some reasonable means, this is the 249 | first time You have received notice of non-compliance with this License 250 | from such Contributor, and You become compliant prior to 30 days after 251 | Your receipt of the notice. 252 | 253 | 5.2. If You initiate litigation against any entity by asserting a patent 254 | infringement claim (excluding declaratory judgment actions, 255 | counter-claims, and cross-claims) alleging that a Contributor Version 256 | directly or indirectly infringes any patent, then the rights granted to 257 | You by any and all Contributors for the Covered Software under Section 258 | 2.1 of this License shall terminate. 259 | 260 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 261 | end user license agreements (excluding distributors and resellers) which 262 | have been validly granted by You or Your distributors under this License 263 | prior to termination shall survive termination. 264 | 265 | --- 266 | 267 | - * 268 | - 6. Disclaimer of Warranty \* 269 | - ------------------------- \* 270 | - * 271 | - Covered Software is provided under this License on an "as is" \* 272 | - basis, without warranty of any kind, either expressed, implied, or \* 273 | - statutory, including, without limitation, warranties that the \* 274 | - Covered Software is free of defects, merchantable, fit for a \* 275 | - particular purpose or non-infringing. The entire risk as to the \* 276 | - quality and performance of the Covered Software is with You. \* 277 | - Should any Covered Software prove defective in any respect, You \* 278 | - (not any Contributor) assume the cost of any necessary servicing, \* 279 | - repair, or correction. This disclaimer of warranty constitutes an \* 280 | - essential part of this License. No use of any Covered Software is \* 281 | - authorized under this License except under this disclaimer. \* 282 | - * 283 | 284 | --- 285 | 286 | --- 287 | 288 | - * 289 | - 7. Limitation of Liability \* 290 | - -------------------------- \* 291 | - * 292 | - Under no circumstances and under no legal theory, whether tort \* 293 | - (including negligence), contract, or otherwise, shall any \* 294 | - Contributor, or anyone who distributes Covered Software as \* 295 | - permitted above, be liable to You for any direct, indirect, \* 296 | - special, incidental, or consequential damages of any character \* 297 | - including, without limitation, damages for lost profits, loss of \* 298 | - goodwill, work stoppage, computer failure or malfunction, or any \* 299 | - and all other commercial damages or losses, even if such party \* 300 | - shall have been informed of the possibility of such damages. This \* 301 | - limitation of liability shall not apply to liability for death or \* 302 | - personal injury resulting from such party's negligence to the \* 303 | - extent applicable law prohibits such limitation. Some \* 304 | - jurisdictions do not allow the exclusion or limitation of \* 305 | - incidental or consequential damages, so this exclusion and \* 306 | - limitation may not apply to You. \* 307 | - * 308 | 309 | --- 310 | 311 | 8. Litigation 312 | 313 | --- 314 | 315 | Any litigation relating to this License may be brought only in the 316 | courts of a jurisdiction where the defendant maintains its principal 317 | place of business and such litigation shall be governed by laws of that 318 | jurisdiction, without reference to its conflict-of-law provisions. 319 | Nothing in this Section shall prevent a party's ability to bring 320 | cross-claims or counter-claims. 321 | 322 | 9. Miscellaneous 323 | 324 | --- 325 | 326 | This License represents the complete agreement concerning the subject 327 | matter hereof. If any provision of this License is held to be 328 | unenforceable, such provision shall be reformed only to the extent 329 | necessary to make it enforceable. Any law or regulation which provides 330 | that the language of a contract shall be construed against the drafter 331 | shall not be used to construe this License against a Contributor. 332 | 333 | 10. Versions of the License 334 | 335 | --- 336 | 337 | 10.1. New Versions 338 | 339 | Mozilla Foundation is the license steward. Except as provided in Section 340 | 10.3, no one other than the license steward has the right to modify or 341 | publish new versions of this License. Each version will be given a 342 | distinguishing version number. 343 | 344 | 10.2. Effect of New Versions 345 | 346 | You may distribute the Covered Software under the terms of the version 347 | of the License under which You originally received the Covered Software, 348 | or under the terms of any subsequent version published by the license 349 | steward. 350 | 351 | 10.3. Modified Versions 352 | 353 | If you create software not governed by this License, and you want to 354 | create a new license for such software, you may create and use a 355 | modified version of this License if you rename the license and remove 356 | any references to the name of the license steward (except to note that 357 | such modified license differs from this License). 358 | 359 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 360 | Licenses 361 | 362 | If You choose to distribute Source Code Form that is Incompatible With 363 | Secondary Licenses under the terms of this version of the License, the 364 | notice described in Exhibit B of this License must be attached. 365 | 366 | ## Exhibit A - Source Code Form License Notice 367 | 368 | This Source Code Form is subject to the terms of the Mozilla Public 369 | License, v. 2.0. If a copy of the MPL was not distributed with this 370 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 371 | 372 | If it is not possible or desirable to put the notice in a particular 373 | file, then You may include the notice in a location (such as a LICENSE 374 | file in a relevant directory) where a recipient would be likely to look 375 | for such a notice. 376 | 377 | You may add additional accurate notices of copyright ownership. 378 | 379 | ## Exhibit B - "Incompatible With Secondary Licenses" Notice 380 | 381 | This Source Code Form is "Incompatible With Secondary Licenses", as 382 | defined by the Mozilla Public License, v. 2.0. 383 | --------------------------------------------------------------------------------