Skip to content

The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Debian/Maven/Python/Conan/Aipine project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing.

License

Notifications You must be signed in to change notification settings

siemens/continuous-clearing

Repository files navigation

Build & Test Docker-publish Publish NuGet Packages

Introduction

The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Maven/Python/Debian and uploads it to SW360 and Fossology by accepting respective project ID for license clearing.

The tool helps the developer/project manager to enable the clearing process faster by reducing the manual effort of creating SW360 and FOSSology workflows.

Continuous Clearing Tool for SBOM :

To secure overall DevOps supply chain, we need to ensure that the coding is secure and other mandatory security aspects is integrated in Software development lifecycle from beginning to end. To ensure such practises are in place, we need to provide software bill of material ( SBOM ) for every automated build in DevOps chain. This SBOM will contain all the first and 3rd party components details including dependencies such as development,transitive and internal.

This tool has been logically split into 3 different executables that enable it to be used as separate modules as per the user's requirement.

Note: Continuous Clearing Tool internally uses Syft for component detection for debian type projects.

Package Installation

Install from GitHub Release (Official)

Use container image

docker pull ghcr.io/siemens/continuous-clearing

Use Binary

Download the .nupkg file from GitHub Releases

Execution via terminal

The Continuous Clearing Tool has 3 executables.

you can run Continuous Clearing Tool as container or as a dotnet package,

Run as container

Execute them in the following order to achieve the complete License clearing process.

  1. Package Identifier - This executable takes Package file or a cycloneDX BOM as input and provides a SBOM file as output. For each of the component the dependency classification (development,internal) and the availability in jfrog artifactory is identified and added in the SBOM file.
docker run --rm -it -v /path/to/InputDirectory:/mnt/Input -v /path/to/OutputDirectory:/mnt/Output -v /path/to/LogDirectory:/var/log -v /path/to/configDirectory:/etc/CATool ghcr.io/siemens/continuous-clearing dotnet PackageIdentifier.dll --settingsfilepath /etc/CATool/appSetting.json
  • Input (i.e., /path/to/InputDirectory -> place to keep input files)
  • Output (i.e.,/path/to/OutputDirectory -> resulted files will be stored here)
  • Log (i.e., /path/to/logDirectory -> logs will be stored here)
  • Configuration (i.e., /path/to/ConfigDirectory -> place to keep the Config files i.e appSetting.json)
  1. SW360 Package Creator - This executable expects the CycloneDX BOM as the input, creates the missing components/releases in SW360 and links all the components to the respective project in SW360 portal and triggers the fossology upload.

Note: By default the SBOM contains both dev and non dev dependent components. Hence while creating the components in Sw360 make sure to set the RemoveDevDependency flag as true to skip creating the development dependent components.

docker run --rm -it -v /path/to/OutputDirectory:/mnt/Output -v /path/to/LogDirectory:/var/log -v /path/to/configDirectory:/etc/CATool ghcr.io/siemens/continuous-clearing dotnet SW360PackageCreator.dll --settingsfilepath /etc/CATool/appSetting.json
  1. Artifactory Uploader - This executable takes CycloneDX BOM which is updated by the SW360PackageCreator.dll as input and uploads the components that are already cleared (clearing state - "Report approved") to the SIPARTY release repo in Jfrog Artifactory.
 docker run --rm -it -v /path/to/OutputDirectory:/mnt/Output -v /path/to/LogDirectory:/var/log -v /path/to/configDirectory:/etc/CATool ghcr.io/siemens/continuous-clearing dotnet ArtifactoryUploader.dll --settingsfilepath /etc/CATool/appSetting.json
Run as dotnet package

Extract the downloaded .nupkg package , execute the following commands inside the tools folder.

  1. Package Identifier - This executable takes Package file as input and provides a CycloneDX BOM file as output. For each of the component the dependency classification (development,internal) and the availability in jfrog artifactory is identified and added in the BOM file.
  PackageIdentifier.exe --settingsfilepath /<Config_Path>/appSetting.json
  1. SW360 Package Creator - This executable expects the CycloneDX BOM as the input, creates the missing components/releases in SW360 and links all the components to the respective project in SW360 portal and triggers the fossology upload.

Note: By default the SBOM contains both dev and non dev dependent components. Hence while creating the components in Sw360 make sure to set the RemoveDevDependency flag as true to skip creating the development dependent components.

 SW360PackageCreator.exe --settingsfilepath /<Config_Path>/appSetting.json
  1. Artifactory Uploader - This executable takes CycloneDX BOM which is updated by the SW360PackageCreator.dll as input and uploads the components that are already cleared (clearing state - "Report approved") to the SIPARTY release repo in Jfrog Artifactory.
  ArtifactoryUploader.exe --settingsfilepath /<Config_Path>/appSetting.json

Detailed insight on configuration and execution is provided in Usage Doc.

Note: ArtifactoryUploader is not applicable for Debian clearing.

Development

These instructions will get the project up and running on your local machine for development and testing purposes.

Prerequisite

  1. Download Visual Studio 2022.
  2. Download Docker latest version.
  3. Docker image of continuous Clearing tool to be loaded locally.

Building via .NET SDK

  • Clone the repo in your local directory
  • Inside the src folder, execute the following command to build the source code :
dotnet build --configuration Release

Creating Docker image

Execute the following command inside the project's root directory where the Dockerfile is present to create an image :

docker build -t <DockerImageName> -f Dockerfile .

Creating Dotnet package

Execute the following command inside the project's root directory :

nuget pack CA.nuspec

Contribute

Improvements are always welcome! Feel free to log a bug, write a suggestion or contribute code via merge request. To build and test the solution locally you should have .NET 8 installed. All details are listed in our contribution guide. See CONTRIBUTING.md.

License

Code and documentation under MIT License

Third-party software components list:

Copyright 2024 Siemens AG

About

The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Debian/Maven/Python/Conan/Aipine project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Languages