Tools and documents

Here you can find tools, documents and information that will help you use the curation database and license your software compliantly. In addition, you can find a list of open tool requests and to dos. If you would like to contribute material or are missing something in particular, please contact us at infoªosselot.org.

External

• FOSSology, GitHub repository
• Converting SPDX report formats with SPDX-Tools
• Converting CycloneDX to SPDX with the CycloneDX Web Tool or the CycloneDX CLI
• Converting SPDX to CycloneDX with cdx2spdx (prototype)

Internal

• Build instruction template

OSSelot binaries used for callgraphs and recursive dependency lists

To create callgraphs as well as recursive file and package dependency lists, it was necessary to build all OSSelot packages on a trial basis. For this purpose, these build scripts were used. It should be noted, however, that typical configurations were used that may differ from configurations used in a particular system. This applies, for example, to boot loaders and to the Linux kernel of embedded systems, which usually have a unique configuration and use significantly fewer and largely different components than here in a typical setup for 64-bit x86 processors. But many other programs and libraries are likely to have similar link relationships, regardless of the architecture for which they are developed.

Callgraph based tools and documents

Recursive forward and reverse linking lists across all binary files (show)

Recursive forward linking (“File links with”)	HTML	Programs	Libraries	Both
	JSON	Programs	Libraries	Both
Reverse linking (“File is linked from”)	HTML	Programs	Libraries	Both
	JSON	Programs	Libraries	Both

Callgraphs and recursive link dependency lists of binary files built by all packages (show)

Callgraphs	Embedded graphics (large document, single transfer)	Programs	Libraries
	Linked graphics (small document, separate transfers)	Programs	Libraries
Package dependencies	HTML	Programs	Libraries
	JSON	Programs	Libraries

Recursive link dependency lists of all packages (show)

Without related ELF files	HTML	JSON
With related ELF files	HTML	JSON

Overview about all data that are generated from all packages (show)

From binaries to source code provenance via link dependency and licenses

HTML

JSON

---

Interactive SBOM generator using callgraphs and source code provenance

Enter the name of a binary distribution file or package to search for a related OSSelot package with callgraphs. From the search result, a curated version of the package can then be selected, if any, to display all binaries that are provided by the package along with their callgraphs. By clicking on the package name in the header, a newly created merged SPDX document can be downloaded with a section of package relationships attached. If one or more binary files are selected using the checkbox to the left of their names, clicking on the link in the header creates a reduced merged SPDX document, taking into account only the source code files required to build the selected binaries (source code provenance). A slide set with some background information is available here.
 BinaryPackage Search for an OSSelot package with callgraphs

Please note that some packages do not create ELF files from which callgraphs could be created.

Package based tools and documents

• Disclosure documents search – Look for packages that may have already been curated and provide a list of applicable versions with links to the related disclosure documents.
   BinaryPackage Search for an OSSelot disclosure document
  
  Please note that the disclosure document may need to be adapted to the actual file set of a binary software distribution, as some files (e.g. for testing or documentation) may not be included in the distribution and linked files are not considered. Instead, it may be better to use the above callgraph-based search to only consider distributed binaries.

• Licenses search – Look for packages that may have already been curated and provide a list of applicable versions with links to display the licenses that are used by a particular version.
   BinaryPackage Search for an OSSelot list of concluded licenses
  
  Please note that – same as above – too many or too few licenses may be found for a particular binary software distribution. Instead, it may be better to use the above callgraph-based search to only consider distributed binaries.

• SBOM selection search – Use the below select box and search field to define a data format and enter the name of a software package. Then select one of the available software versions to immediately run the REST interface for the given package and display the OSSelot curation data in a new window.
  Format: JSON RDF-XML SPDX2TV YAML
   BinaryPackage Search the OSSelot repository
  
  Please note that – again same as above – too many or too few licenses may be found for a particular binary software distribution. Instead, it may be better to use the above callgraph-based search to only consider distributed binaries.

Glossary

Terms and concepts used throughout the OSSelot project are defined and explained in a glossary.

Open requests and to dos

• Example script to integrate curation data in build process (see use case 3 in Presentations)
• Patching FOSSology to include LicenseComments in report import