Generate third-party attribution artifacts (NOTICE + "Third Party Licenses" HTML) from a CycloneDX JSON SBOM.
It is intended to be used in CI/CD to produce release artifacts that can be shipped alongside binaries/images.
By default, it writes:
third_party/THIRD_PARTY_LICENSES.html: grouped by license, with license texts and "used by" list. Based on cargo-about (default example available here)third_party/NOTICE.md: per-dependency copyright/notice block (only for deps that expose copyright)third_party/licenses/*.txt: cached SPDX license texts
-
Place the SBOM in
third_party/sbomBy default, Assimilis looks for
third_party/sbom/<REPO_NAME>.cdx.json. The SBOM must have this exact naming pattern. -
Run Assimilis
From your repository root:
assimilis --repo-name <REPO_NAME>
NAME:
assimilis - Generate OSS attribution files
USAGE:
assimilis [global options] [command [command options]]
COMMANDS:
version Display version information
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--repo-name string Name of the repository
--html-template string Override HTML template path (default: embedded)
--notice-template string Override NOTICE template path (default: embedded)
--spdx-version string SPDX license-list-data version/tag (default: "v3.27.0")
--help, -h show helpIf a component uses a non-SPDX license ID or an unmapped license expression, Assimilis expects a corresponding license text file in third_party/licenses/custom.
Example:
third_party/licenses/custom/LicenseRef-<CUSTOM_LICENSE_NAME>.txtIf the text is missing, generation fails.
- Myrmica Lobicornis π: Update and merge pull requests.
- Myrmica Aloba π: Add labels and milestone on pull requests and issues.
- Messor Structor π: Manage multiple documentation versions with Mkdocs.
- Lasius Mixtus π: Publish documentation to a GitHub repository from another.
- Myrmica Bibikoffi π: Closes stale issues
- Chalepoxenus Kutteri π: Track a GitHub repository and publish on Slack.
- Myrmica Gallienii π: Keep Forks Synchronized