UNPKG

@dev-build-deploy/reuse-it

Version:

(ReUSE) Copyright and License management library

github.com/dev-build-deploy/reuse-it

dev-build-deploy/reuse-it

158 lines (125 loc) 5.18 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
<!-- SPDX-FileCopyrightText: 2023 Kevin de Jong <monkaii@hotmail.com> SPDX-License-Identifier: MIT --> # ReuseIt - Copyright and License Management Library Creates an SPDX 2.3 Software Bill of Materials based on the provided files, per [ReUSE Software specification]. > ⚠️ **NOTE** ⚠️ > > ReuseIt (and its owner) are not part of a law firm and, as such, the owner nor the application provide legal advise. > Using ReuseIt does not constitute legal advice or create an attorney-client relationship. > > ReuseIt is created for the aggregation of Copyright and License information provided by the users in the files stored in their repositories. > In the end, the users of ReuseIt are responsible for the correctness of the generated Software Bill of Materials, the associated licenses, and attributions. > For that reason, ReuseIt is provided on an "as-is" basis and makes no warranties regarding any information or licenses provided on or through it, and disclaims liability for damages resulting from using the application. ## Features * Easy to use * Create SPDX 2.3 Software Bill of Materials * Leverage the [Reuse Software specification] <!-- Hee hee, hid a comment block in here --> ## Basic Usage ```typescript import { SoftwareBillOfMaterials } from "@dev-build-deploy/reuse-it"; // Create an empty Software Bill of Materials const sbom = new SoftwareBillOfMaterials("Example Project", "Example Tool v0"); // Add associated (related) files await sbom.addFile("src/spdx/sbom.ts"); // Show the results console.log(JSON.stringify(sbom, null, 2)) ``` <details><summary>Example output</summary> This will result in an SPDX 2.3 SBoM; ```JSON { "SPDXID": "SPDXRef-DOCUMENT", "spdxVersion": "SPDX-2.3", "documentNamespace": "http://spdx.org/spdxdocs/spdx-v2.3-45eae250-b782-46dd-9723-62ec3bed2a7c", "dataLicense": "CC0-1.0", "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-26277ea6651754576f3b48212813e2c9c26e7464" } ], "files": [ { "checksums": [ { "algorithm": "SHA1", "checksumValue": "32ac7ea6fbf35e1a03662715a1a345ccc569d05d" } ], "fileContributors": [], "fileTypes": [], "licenseConcluded": "NOASSERTION", "licenseInfoInFiles": [ "MIT" ], "attributionTexts": [], "fileName": "./src/spdx/sbom.ts", "SPDXID": "SPDXRef-26277ea6651754576f3b48212813e2c9c26e7464", "copyrightText": "2023 Kevin de Jong <monkaii@hotmail.com>" } ], "name": "Example Project", "creationInfo": { "comment": "Generated by Example Tool v0", "created": "2023-01-01T00:00:00.000Z", "creators": [ "Tool: Example Tool v0" ] } } ``` </details> ## Basic guidelines ### Adding licensing and copyright information to your file Per the [ReUSE Software specification], you can cover your files with the following approaches: - Adding a [comment header](#https://reuse.software/spec/#comment-headers) in your files; <!-- REUSE-IgnoreStart --> ```yaml SPDX-FileCopyrightText: 2023 Kevin de Jong <monkaii@hotmail.com> SPDX-License-Identifier: MIT ``` <!-- REUSE-IgnoreEnd --> - Adding a `.license` file next to your (binary) files - Using [DEP5](https://reuse.software/spec/#dep5) allows for specifying copyright and licensing in bulk _Please refer to the [Reuse specification] for more details._ > **NOTE**: Support for `.license` files is still under construction ### Use SPDX File Tags to enrich your Software Bill of Materials To enrichen your SPDX 2.3 SBOM, additional [File Tags](https://spdx.github.io/spdx-spec/v2.3/file-tags/) can be used to add additional information to each file. For example: <!-- REUSE-IgnoreStart --> ```yaml SPDX-FileCopyrightText: 2023 Kevin de Jong <monkaii@hotmail.com> SPDX-FileType: DOCUMENTATION SPDX-License-Identifier: MIT SPDX-FileLicenseConcluded: MIT SPDX-FileLicenseComments: This file is original work of the copyright holder, and therefor the license specified in the file is correct. SPDX-FileComment: This file is part of the public documentation. SPDX-FileContributor: Kevin de Jong ``` <!-- REUSE-IgnoreEnd --> ### Ignoring false positive matches ReuseMe attempts to limit the number of false positive hits by; - Only scanning the first 1024 characters of your files - Ensure that `SPDX-` tags are the first words on a line In case you do run into a false-positive match, you can use the `REUSE-IgnoreStart` and `REUSE-IgnoreEnd` tags to ignore snippets. ```typescript function foo(bar: string) { // REUSE-IgnoreStart if (bar.includes( "SPDX-FileCopyrightText is important" )) { console.log("Ru-roh") } // REUSE-IgnoreEnd } ``` ## Contributing If you have suggestions for how `reuse-it` could be improved, or want to report a bug, open an issue! We'd love all and any contributions. For more, check out the [Contributing Guide](CONTRIBUTING.md). ## License - [MIT](./LICENSES/MIT.txt) © 2023 Kevin de Jong \<monkaii@hotmail.com\> [ReUSE Software specification]: https://reuse.software/spec/ [Reuse specification]: https://reuse.software/spec/