Most tooling around SBOMs today focuses on the creation of SBOMs based on source code. Few focus on consuming of SBOMs and the management at scale. This is what we want to address.
Eclipse Disco offers an application to manage Software Bills of Materials (SBOMs) for Free and Open Source Software components, providing a software supplier with a standard way of delivering licensing information for a software project. Eclipse Disco also offers APIs and a UI through which a software supplier can submit SBOMs in a standard exchange format for a given project.
Upon receiving the SBOM it is validated automatically against a pre-defined schema. The portal supports project owners in managing open source license compliance through automated checks against policies and helps manage the fulfillment of resulting license obligations.
Eclipse Disco focuses on consuming SBOMs and the resulting actions based on their assessment. It is not meant to produce SBOMs from source code since that is well-supported already by other projects. SBOMs might be created by combining imported SBOMs though. Eclipse Disco comes with a license and policy database that helps a project owner to assess FOSS licenses based on self-configured use cases and understand the resulting license obligations. The content of this license and policy database is out of scope of Eclipse Disco (hence it will be empty except for some examples) since this relies on the local legal interpretation of FOSS licenses.
We intend to add Eclipse Disco to the Eclipse SDV work group since there we already have a community of potential users and contributors to Eclipse Disco. But since the project is so generic in nature we wanted to add it to the technology domain.
The project was started with focusing on FOSS license compliance. We already have extended the scope to identify proprietary licenses in imported SBOMs. This might lead to a broader SBOM management solution in the future. We want to increase the amount of automation and hence release developer and project owners of cognitive load. We want to broaden the format support e.g. to CycloneDX. We could add some integration with vulnerability management. We might better support SBOM consumers like technology management.
Initial contribution of CLI source code in Q2 of 2025. Contribution of full system source code ca. Q3 of 2025.
Eclipse SDV work group is interested in adding this project to their projects landscape. Bosch has announced interest in contributing to Disco.
Initial code is published at mercedes-benz/disclosure-cli already and should be moved to this project. However, this is only the CLI for the full system which going to be contributed as the next step.
- Log in to post comments