├── FAQ.rst
├── LICENSE
├── README.rst
└── .gitignore


/FAQ.rst:
--------------------------------------------------------------------------------
 1 | 
 2 | Q: What if a package has no repository or is proprietary?
 3 | 
 4 | - A: Use a "generic" purl and a download URL or homepage URL qualifier.
 5 | 
 6 | Q: What if I want to provide file details?
 7 | 
 8 | - A: Use a purl with a subpath.
 9 | 
10 | Q: What if I want to provide checksums?
11 | 
12 | - A: Use a purl with checksum qualifier(s).
13 | 
14 | Q: Where do I document my own code?
15 | 
16 | - A: As entries in the packages list. The first item(s)
17 |   would typically describe your own software.
18 | 
19 | Q: What about vulnerabilities?
20 | 
21 | - A: If we want a kissbom to also contains vulnerability
22 |   information for packages, we can add a field that would list
23 |   vulnerability ids for this SBoM entry. 
24 |   
25 | Q: Does the kissbom-spec meet NTIA standards for Baseline Attributes?
26 | 
27 | - A: Based on the discussion in https://github.com/kissbom/kissbom-spec/issues/1
28 |   it likely does
29 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 kissbom
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
 1 | ==================================
 2 | kissbom: The keep it simple SBoM
 3 | ==================================
 4 | 
 5 | Context and Problem
 6 | --------------------
 7 | 
 8 | Reporting software provenance to track licensing, bugs and
 9 | vulnerabiilities is useful.
10 | 
11 | What could be the simplest way to craft a Software Bill
12 | of Material (SBoM)?
13 | 
14 | Solution
15 | ---------
16 | 
17 | A kissbom is a document that lists all the software packages
18 | included in the software it documents, both own code and
19 | third-party.
20 | 
21 | The attributes for each item in this list are: 
22 | 
23 | - purl: a Package URL string.
24 | - license: an optional SPDX license expression string.
25 | - copyright: an optional copyright holder name(s) string.
26 | - notes: an optional notes string.
27 | 
28 | These attributes are sufficient to:
29 | 
30 | - document packages provenance and license,
31 | - query package details from repositories, including dependencies,
32 | - download packages, and
33 | - query bug trackers and vulnerability databases for package issues.
34 | 
35 | purl and SPDX license expressions have their own spec.
36 | 
37 | The extensions for kissbom files are ".kissbom.json", ".kissbom.yml",
38 | ".kissbom.csv", etc.
39 | 
40 | The filename should be used to document the subject of the SBoM
41 | including optionally the product or component name, the SBoM author
42 | name, and an ISO 8601 timestamp of when this SBoM was last modified.
43 | Filenames should be lowercase and contain no space and should
44 | prefer using "-",  "_" and "." as separator between words.
45 | 
46 | Content is UTF-8-encoded and can be serialized as JSON, YAML, CSV or
47 | any other format. 
48 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | pip-wheel-metadata/
 24 | share/python-wheels/
 25 | *.egg-info/
 26 | .installed.cfg
 27 | *.egg
 28 | MANIFEST
 29 | 
 30 | # PyInstaller
 31 | #  Usually these files are written by a python script from a template
 32 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 33 | *.manifest
 34 | *.spec
 35 | 
 36 | # Installer logs
 37 | pip-log.txt
 38 | pip-delete-this-directory.txt
 39 | 
 40 | # Unit test / coverage reports
 41 | htmlcov/
 42 | .tox/
 43 | .nox/
 44 | .coverage
 45 | .coverage.*
 46 | .cache
 47 | nosetests.xml
 48 | coverage.xml
 49 | *.cover
 50 | *.py,cover
 51 | .hypothesis/
 52 | .pytest_cache/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | # Scrapy stuff:
 69 | .scrapy
 70 | 
 71 | # Sphinx documentation
 72 | docs/_build/
 73 | 
 74 | # PyBuilder
 75 | target/
 76 | 
 77 | # Jupyter Notebook
 78 | .ipynb_checkpoints
 79 | 
 80 | # IPython
 81 | profile_default/
 82 | ipython_config.py
 83 | 
 84 | # pyenv
 85 | .python-version
 86 | 
 87 | # pipenv
 88 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 89 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 90 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 91 | #   install all needed dependencies.
 92 | #Pipfile.lock
 93 | 
 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
 95 | __pypackages__/
 96 | 
 97 | # Celery stuff
 98 | celerybeat-schedule
 99 | celerybeat.pid
100 | 
101 | # SageMath parsed files
102 | *.sage.py
103 | 
104 | # Environments
105 | .env
106 | .venv
107 | env/
108 | venv/
109 | ENV/
110 | env.bak/
111 | venv.bak/
112 | 
113 | # Spyder project settings
114 | .spyderproject
115 | .spyproject
116 | 
117 | # Rope project settings
118 | .ropeproject
119 | 
120 | # mkdocs documentation
121 | /site
122 | 
123 | # mypy
124 | .mypy_cache/
125 | .dmypy.json
126 | dmypy.json
127 | 
128 | # Pyre type checker
129 | .pyre/
130 | 


--------------------------------------------------------------------------------