Add SPDX SBOM for vendored native codec libraries#169
Open
esmadau wants to merge 1 commit into
Open
Conversation
The native imaging codecs are provided by third-party C/C++ libraries whose source is vendored into this repository (under Native/Common/) and statically linked into the Dicom.Native binary. Because they are not NuGet packages, they are invisible to NuGet/Dependabot and were previously only tracked informally in LICENSE.txt. Add a machine-readable SPDX 2.3 SBOM (fo-dicom.Codecs.spdx.json) that enumerates the vendored codecs with their versions, source download locations, SPDX license identifiers, suppliers, package URLs (purl), and a STATIC_LINK relationship to the top-level package: - libijg 6b (IJG License) - OpenJPEG 2.5.4 (BSD-2-Clause) - CharLS 2.4.2 (BSD-3-Clause) - OpenJPH 0.21.2 (BSD-2-Clause) SPDX is an open ISO/IEC 5962 standard, so the file is consumable by standard SBOM/SCA tooling without any repository-specific integration. A README note points to the SBOM and asks contributors to keep it (and LICENSE.txt) in sync when a vendored codec is added, removed, or version-bumped.
This was referenced Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a machine-readable SPDX 2.3 Software Bill of Materials at
fo-dicom.Codecs.spdx.jsonthat enumerates the third-party C/C++ codec libraries vendored into this repository, plus a short README note pointing to it.Vendored components captured (versions as currently on
master):Why
These codecs are vendored — their source is copied under
Native/Common/and statically linked intoDicom.Native— so they are invisible to NuGet/Dependabot and were only tracked informally inLICENSE.txt. An SBOM gives a standards-based, machine-readable record of what is bundled, at which version, under which license, and from which source, which is increasingly expected for supply-chain security and license compliance.SPDX was chosen because it is an open, vendor-neutral ISO/IEC 5962 standard. The file is consumable as-is by standard SBOM/SCA tooling and requires no repository-specific integration — it is just a static artifact in the tree.
Contributors are asked to keep the SBOM and
LICENSE.txtin sync whenever a vendored codec is added, removed, or version-bumped.Related: #168 (libijg -> libjpeg-turbo migration) changes one of the vendored
codecs listed here; the SBOM will need a follow-up to reflect that once #168 merges.