Skip to content

Add SPDX SBOM for vendored native codec libraries#169

Open
esmadau wants to merge 1 commit into
Efferent-Health:masterfrom
esmadau:sbom-spdx-vendored-codecs
Open

Add SPDX SBOM for vendored native codec libraries#169
esmadau wants to merge 1 commit into
Efferent-Health:masterfrom
esmadau:sbom-spdx-vendored-codecs

Conversation

@esmadau

@esmadau esmadau commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

What

Adds a machine-readable SPDX 2.3 Software Bill of Materials at fo-dicom.Codecs.spdx.json that enumerates the third-party C/C++ codec libraries vendored into this repository, plus a short README note pointing to it.

Vendored components captured (versions as currently on master):

Component Version License Source
libijg 6b IJG https://www.ijg.org/files/jpegsrc.v6b.tar.gz
OpenJPEG 2.5.4 BSD-2-Clause https://github.com/uclouvain/openjpeg
CharLS 2.4.2 BSD-3-Clause https://github.com/team-charls/charls
OpenJPH 0.21.2 BSD-2-Clause https://github.com/aous72/OpenJPH

Why

These codecs are vendored — their source is copied under Native/Common/ and statically linked into Dicom.Native — so they are invisible to NuGet/Dependabot and were only tracked informally in LICENSE.txt. An SBOM gives a standards-based, machine-readable record of what is bundled, at which version, under which license, and from which source, which is increasingly expected for supply-chain security and license compliance.

SPDX was chosen because it is an open, vendor-neutral ISO/IEC 5962 standard. The file is consumable as-is by standard SBOM/SCA tooling and requires no repository-specific integration — it is just a static artifact in the tree.

Contributors are asked to keep the SBOM and LICENSE.txt in sync whenever a vendored codec is added, removed, or version-bumped.

Related: #168 (libijg -> libjpeg-turbo migration) changes one of the vendored
codecs listed here; the SBOM will need a follow-up to reflect that once #168 merges.

Note: opened as a draft for maintainer feedback on the approach and on the preferred SBOM file location/name.

The native imaging codecs are provided by third-party C/C++ libraries whose
source is vendored into this repository (under Native/Common/) and statically
linked into the Dicom.Native binary. Because they are not NuGet packages, they
are invisible to NuGet/Dependabot and were previously only tracked informally
in LICENSE.txt.

Add a machine-readable SPDX 2.3 SBOM (fo-dicom.Codecs.spdx.json) that
enumerates the vendored codecs with their versions, source download locations,
SPDX license identifiers, suppliers, package URLs (purl), and a STATIC_LINK
relationship to the top-level package:

- libijg 6b (IJG License)
- OpenJPEG 2.5.4 (BSD-2-Clause)
- CharLS 2.4.2 (BSD-3-Clause)
- OpenJPH 0.21.2 (BSD-2-Clause)

SPDX is an open ISO/IEC 5962 standard, so the file is consumable by standard
SBOM/SCA tooling without any repository-specific integration. A README note
points to the SBOM and asks contributors to keep it (and LICENSE.txt) in sync
when a vendored codec is added, removed, or version-bumped.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant