Bompare, a tool to compare the Software Bill-of-Materials from multiple sources

Usage

The bompare tool can be used to compare generated bill-of-materials files to identify differences between sources. Comparison is either between the libraries identified by various sources, or on the licenses for the libraries identified by all sources in the comparison. Outputs are CSV files with a column per source.

It currently reads:

• (Internal) reference format (BOM only)
• WhiteSource inventory JSON export format
• BlackDuck report export ZIP and directory format
• SPDX tag-value format with purl package references
• JK1 Gradle license report JSON format
• Tern JSON format
• Maven 3rd party license report TXT format
• NPM license-checker CSV format

To allow license comparison, it automatically transforms official license titles to SPDX identifiers, and allows customized translations using an external CSV file.

The executable is a multi-platform command line executable with built-in usage help. It should compile and run on OSX/Linux/Windows, but has been developed on OSX.

Building the executable

1. Install Dart 2.12.0 (or newer) SDK according to the instructions. E.g.:
   • OSX (Mac) using brew: brew tap dart-lang/dart and then brew install dart
   • Windows using Chocolatey: choco install dart-sdk
   • With docker docker run -it --rm -v $(pwd):/work -w /work google/dart ./build.sh
2. Globally install the coverage helper tooling: dart pub global activate coverage.
3. Install "lcov" coverage visualization tooling.
4. Run build.sh to run all tests and build a native executable called bompare.

If the coverage tools are installed, the build results in an update of the coverage badge and a static web site with coverage details.