Skip to main content
warning

There are pending German and international (PCT) patent applications with the publication numbers DE102023125012A1 and WO2025056772A1. In order to use the Innamark watermarker software in the form published here, a patent license is required in addition to the license for the software. See LICENSE for more information. In case of any questions or uncertainties, please contact us at innamark@isst.fraunhofer.de.

Software Bill of Materials (SBOM)

Innamark uses a Software Bill of Materials (SBOM) to track the components and dependencies used in the project. This includes dependencies directly used by Innamark and also tools and libraries used in the development process (e.g., linter). This SBOM is generated using the OSS Review Toolkit (ORT) in the common CycloneDX format. The SBOM is generated and analyzed as part of the GitHub CI pipeline and can be created locally as described on this page.

GitHub Workflows

We currently use three GitHub workflows related to the SBOM:

  • SBOM: Watermarker (sbom_watermarker.yml) — Runs the license gate and uploads the CycloneDX SBOM artifact
  • SBOM Release: Watermarker (sbom_release_watermarker.yml) — Builds the SBOM and attaches it to the GitHub Release
  • SBOM Scan: Watermarker (sbom_scan_watermarker.yml) — Runs the OSV vulnerability scan and uploads the report

Manual Generation

To generate the SBOM locally, you can use the following command in the root of the repository. It uses the ORT Docker image, while the results land in ort-results/.

Prerequisite: Clean Tree

Run these commands on a clean tree. If you have previously built the library, generated Kotlin/JS artifacts under watermarker/build/, clean them first:

cd watermarker && ./gradlew clean && cd ..

To generate the SBOM with its dependencies and optional vulnerability information, execute the following commands from the project root:

1. Analyzer: Extract Dependencies

docker run --rm -v "$PWD:/project" ghcr.io/oss-review-toolkit/ort:latest \
-P ort.analyzer.allowDynamicVersions=true \
-P ort.analyzer.enabledPackageManagers=GradleInspector \
analyze -i /project/watermarker -o /project/ort-results -f JSON

2. (Optional) Advisor: Check Vulnerabilities

docker run --rm -v "$PWD:/project" ghcr.io/oss-review-toolkit/ort:latest \
advise -i /project/ort-results/analyzer-result.json -o /project/ort-results -a OSV -f JSON

3. Reporter: Generate SBOM and WebApp Report

docker run --rm -v "$PWD:/project" ghcr.io/oss-review-toolkit/ort:latest \
report -i /project/ort-results/analyzer-result.json -o /project/ort-results \
-f CycloneDx,WebApp -O CycloneDX=output.file.formats=json

Output: ort-results/bom.cyclonedx.json and ort-results/scan-report-web-app.html (open in a browser to view vulnerabilities).