ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

SPDX license and copyright information

Open XVilka opened this issue 2 years ago • 6 comments

Currently Ghidra uses full license text in all files, while a lof ot FOSS and proprietary software standardized the license and copyright information in the form of more succinct SPDX headers. Today, they are also an ISO/IEC 5962:2021 standard.

// SPDX-FileCopyrightText: © {$year_of_file_creation} {$name_of_copyright_holder} <{$contact}>
// SPDX-License-Identifier: {$license_name}

For example, header could look like this:

//  SPDX-FileCopyrightText: 2019 National Security Agency <[email protected]>
//  SPDX-License-Identifier: Apache-2.0

Moreover, you could setup both internal and GitHub CI jobs to check if everything is correct.

The SDPX format is very helpful in producing the license reports, SBOM (Software Bill of Materials), see e.g. https://spdx.dev/spdx-examples-repo/

Read more at https://reuse.software/tutorial/ Tools are:

  • https://github.com/fsfe/reuse-tool
  • https://reuse.readthedocs.io/en/stable/usage.html

XVilka avatar Oct 21 '21 04:10 XVilka

Thanks, I'm looking into this now. Our current motivation is focused more on producing an SBOM than licensing, but it's good to know SPDX has that covered too. I am currently gravitating towards CycloneDX because the JSON format seem favorable. Do you have any experience with that standard?

ryanmkurtz avatar Mar 14 '22 14:03 ryanmkurtz

@ryanmkurtz sorry, didn't notice your message. No, not familiar with the CycloneDX but after checking the specification it also looks fine. Less mainstream than SPDX but better than nothing anyway 👍

XVilka avatar Mar 24 '22 17:03 XVilka

Our current motivation is focused more on producing an SBOM than licensing, but it's good to know SPDX has that covered too

Slightly off-topic, FWIW, if your focus is a proper list of third-party packages, then a Package URL could be enough https://github.com/package-url (disclosure: I discovered these and I am also a co-founder of SPDX). Or for an ultra minimalist SBOM format that is sufficient and eventually complies with NTIA's minimum SBOM requirements see https://github.com/kissbom/kissbom-spec/issues/1 ;)

CycloneDX uses Package URLs as a key identifier and SPDX supports them too.

pombredanne avatar Apr 26 '22 12:04 pombredanne

We've included a CycloneDX SBOM in our latest release. It is generated as part of our build processes. I've found it very useful in conjunction with Dependency-Track (for the jar's I was able to generate a PURL for). Some don't have a pom.xml embedded in them so I wasn't sure how to get the group part of the PURL for those, but I would like to once I know how.

As for SPDX, I think it makes sense to use it for our licensing headers, but that likely isn't something we'd consider doing until we have a need to change every source file in the repo.

ryanmkurtz avatar Apr 26 '22 14:04 ryanmkurtz

Some don't have a pom.xml embedded in them so I wasn't sure how to get the group part of the PURL for those, but I would like to once I know how.

tell me if I can help

pombredanne avatar Apr 26 '22 14:04 pombredanne

@pombredanne i opened a new issue to discuss PURL related things (#4197) so this issue can remain focused on supporting SPDX.

ryanmkurtz avatar Apr 26 '22 16:04 ryanmkurtz