Generate and manage Software Bill of Materials (SBOMs) for the OpenShell project. Covers SBOM generation with Syft, license resolution via public registries, and CSV export for compliance review. Trigger keywords - SBOM, sbom, bill of materials, license audit, license resolution, generate sbom, sbom csv, dependency license, supply chain, license scan.
Generate CycloneDX SBOMs, resolve missing licenses, and export to CSV for compliance review.
The OpenShell SBOM tooling produces CycloneDX JSON SBOMs using Syft, resolves missing or hash-based licenses by querying public registries (crates.io, npm, PyPI), and exports the results to CSV for stakeholder review.
SBOMs are release artifacts only -- they are generated on demand and not committed to the repository. Output lands in deploy/sbom/output/ (gitignored).
mise install has been run (installs Syft and other tools)mise run sbom
This single command chains three stages:
sbom:generate): Syft scans the workspace source tree and produces a CycloneDX JSON SBOMsbom:resolve): Public registry APIs fill in missing or hash-based licenses in the JSONsbom:csv): JSON SBOMs are converted to CSV for reviewOutput directory: deploy/sbom/output/
After running, the user can find:
deploy/sbom/output/*.cdx.json -- full CycloneDX SBOMsdeploy/sbom/output/*.csv -- CSV exports ready for spreadsheet reviewRun stages independently when debugging or iterating:
mise run sbom:generate # Generate JSON SBOMs only (requires Syft)
mise run sbom:resolve # Resolve licenses in existing JSONs (queries APIs)
mise run sbom:csv # Convert existing JSONs to CSV
mise run sbom:check
Reports unresolved licenses without failing. Intended for PR CI as a non-blocking advisory check. Requires that SBOMs have already been generated (mise run sbom:generate).
The Python scripts accept explicit file paths, so they can process SBOMs from any source (e.g., NVIDIA nSpect pipeline output):
uv run python deploy/sbom/resolve_licenses.py /path/to/external-sbom.json
uv run python deploy/sbom/sbom_to_csv.py /path/to/external-sbom.json
The resolver queries these public registries:
| Registry | Package URL prefix | Method |
|---|---|---|
| crates.io | pkg:cargo/* | REST API |
| npm | pkg:npm/* | Registry API |
| PyPI | pkg:pypi/* | JSON API |
| Go modules | pkg:golang/* | Known license map (no API) |
| Debian/Ubuntu | pkg:deb/* | Known license map |
Components from private registries (e.g., @openclaw/* npm packages) are not resolved and will appear in the "unresolved" report.
| Pattern | Description |
|---|---|
deploy/sbom/output/openshell-source-{version}.cdx.json | CycloneDX JSON SBOM |
deploy/sbom/output/openshell-source-{version}.csv | CSV export (name, version, type, purl, licenses, bom-ref) |
| File | Purpose |
|---|---|
deploy/sbom/resolve_licenses.py | License resolution script |
deploy/sbom/sbom_to_csv.py | JSON-to-CSV converter |
tasks/sbom.toml | Mise task definitions |
mise.toml | Syft tool definition (under [tools]) |
| Task | Command |
|---|---|
| Full pipeline | mise run sbom |
| Generate only | mise run sbom:generate |
| Resolve licenses | mise run sbom:resolve |
| Export CSV | mise run sbom:csv |
| CI license check | mise run sbom:check |
| Process external SBOM | uv run python deploy/sbom/resolve_licenses.py <file> |