This is a snapshot of all the components and associated licenses used. It includes what is used to build EVE-OS and what is included in the EVE-OS images. The golang dependencies in deps-eve-xyz.csv are quite volumnious since they include the transitive closure of all of the packages and since different packages in that closure pull in different versions/hashes of other packages there are many instances where several versions/hashes of a package is included.

This snapshot is based on the EVE-OS release: 8.8.0

Scan code report
scancode-report.html
scancode-report.csv

Snyk report
deps-eve-880.csv

Final image / learn more about building process https://github.com/lf-edge/eve/blob/master/docs/BUILD.md

docker sbom lfedge/eve	docker scan lfedge/eve

docker sbom lfedge/eve

docker scan lfedge/eve

^{Syft v0.43.0}
^{✔ Loaded image}
^{✔ Parsed image}
^{✔ Cataloged packages [31 packages]}

^{[0006] WARN golang cataloger: failed to read buildinfo (file="/ipxe.efi"): unrecognized file format}
^{NAME VERSION TYPE}
^{apk-tools 2.12.1-r0 apk}
^{busybox 1.32.1-r3 apk}
^{ca-certificates-bundle 20191127-r5 apk}
^{coreutils 8.32-r2 apk}
^{glib 2.66.7-r1 apk}
^{gmp 6.2.1-r0 apk}
^{gnutls 3.7.1-r0 apk}
^{libacl 2.2.53-r0 apk}
^{libaio 0.3.112-r1 apk}
^{libattr 2.4.48-r0 apk}
^{libblkid 2.36.1-r1 apk}
^{libcrypto1.1 1.1.1j-r0 apk}
^{libffi 3.3-r2 apk}
^{libintl 0.20.2-r2 apk}
^{libmount 2.36.1-r1 apk}
^{libssl1.1 1.1.1j-r0 apk}
^{libtasn1 4.16.0-r1 apk}
^{libtls-standalone 2.9.1-r1 apk}
^{libunistring 0.9.10-r0 apk}
^{musl 1.2.2-r0 apk}
^{nettle 3.7-r0 apk}
^{p11-kit 0.23.22-r0 apk}
^{pcre 8.44-r0 apk}
^{qemu-img 5.2.0-r2 apk}
^{s6-ipcserver 2.10.0.0-r0 apk}
^{skalibs 2.10.0.0-r0 apk}
^{ssl_client 1.32.1-r3 apk}
^{tar 1.33-r1 apk}
^{uboot-tools 2021.01-r0 apk}
^{utmps 0.1.0.0-r0 apk}
^{zlib 1.2.11-r3 apk}

^{Testing lfedge/eve...}

^{Package manager: apk}
^{Project name: docker-image|lfedge/eve}
^{Docker image: lfedge/eve}
^{Platform: linux/arm64}

^{✔ Tested 32 dependencies for known vulnerabilities, no vulnerable paths found.}

^{Note that we do not currently have vulnerability data for your image.}

^{For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp}

Building process

Build Tools

The following are build tools used to create EVE images, their purpose and source:

linuxkit - build bootable operating system images by composing OCI images and raw files together. Used to create rootfs.img and rootfs_installer.img. Installed in build-tools/bin/
manifest-tool - create OCI v2 manifest images that can reference other images based on architecture or operating system. Enables a single image tag, e.g. lfedge/foo:1.2 to be resolved automatically to the actual image that works on the current architecture and operating system at run-time. Installed in build-tools/bin/
makerootfs.sh - call linuxkit to build a bootable image's filesystem, in tar format, for rootfs.img or rootfs_installer.img. Passes the resultant tar stream to a container from pkg/mkrootfs-squash or pkg/mkrootfs-ext4, depending on desired output format.
mkrootfs-squash or mkrootfs-ext4 - take a build rootfs from the previous step as stdin in tar stream format, customize it with a filesystem UUID and other parameters, and create a squashfs or ext4 filesystem.
makeflash.sh - take an input tar stream of several images, primarily rootfs.img and config.img. Create a file to use as an image of a target size or default. Passes the resultant tar stream to a container from pkg/mkimage-raw-efi.
mkimage-raw-efi - create an output file that represents an entire disk, with multiple partitions. By default, efi,imga,imgb,config,persist. The installer image creates only efi,img,config.
tools/makeconfig.sh - package up the provided directory, normally conf/ into a tar stream, and pass to a container from pkg/mkconf.
mkconf - combine the input tar stream with defaults in /conf/ from lfedge/eve-pillar into a new container image in /. Create a FAT32 disk image from it.
parse-pkgs.sh - determine the correct latest hash to use for all packages and higher-order components. See parse-pks.

Components

Name	Version	Component	Link	License
QEMU	5.1.0	https://github.com/lf-edge/eve/pkg/kvm-tools/Dockerf.5.1	https://www.qemu.org	GPL-2.0 QEMU as a whole is released under the GNU General Public License, version 2. Parts of QEMU have specific licenses which are compatible with the GNU General Public License, version 2. Hence each source file contains its own licensing information. Source files with no licensing information are released under the GNU General Public License, version 2 or (at your option) any later version. As of July 2013, contributions under version 2 of the GNU General Public License (and no later version) are only accepted for the following files or directories: bsd-user/, linux-user/, hw/misc/vfio.c, hw/xen/xen_pt*. The Tiny Code Generator (TCG) is released under the BSD license (see license headers in files). QEMU is a trademark of Fabrice Bellard.
Linux Kernel	5.10.121	https://github.com/lf-edge/eve/pkg/kernel/Dockerfile	https://www.kernel.org	GNU General Public License version 2 only (GPL-2.0)
XEN	4.15	https://github.com/lf-edge/eve/pkg/xen/Dockerfile	https://xenproject.org	GNU General Public License version 2 only (GPL-2.0)
abuild	3.7.0-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://git.alpinelinux.org/abuild/	GPL-2.0-only (GNU General Public License v2.0 only)
alpine-baselayout	3.2.0-r8	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout	GPL-2.0-only (GNU General Public License v2.0 only)
alpine-keys	2.4-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://pkgs.alpinelinux.org/package/v3.13/main/x86_64/alpine-keys	MIT
apk-tools	2.12.7-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://gitlab.alpinelinux.org/alpine/apk-tools	GPL-2.0-only (GNU General Public License v2.0 only)
argp-standalone	1.3-r4	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	http://www.lysator.liu.se/~nisse/misc/	GPL-2.0-or-later (GNU General Public License v2.0 or later)
attr-dev	2.4.48-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://savannah.nongnu.org/projects/attr	LGPL-2.1 (GNU Lesser General Public License v2.1 only)
autoconf	2.69-r3	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/autoconf/	GPL-2.0-or-later (GNU General Public License v2.0 or later)
autoconf-archive	2019.01.06-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/autoconf-archive/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
automake	1.16.3-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/automake/	GPL-2.0-or-later (GNU General Public License v2.0 or later)
bash	5.1.16-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/bash/bash.html	GPL-3.0-or-later (GNU General Public License v3.0 or later)
bc	1.07.1-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/bc/bc.html	GPL-2.0-or-later (GNU General Public License v2.0 or later)
binutils-dev	2.35.2-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/binutils/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
binutils-gold	2.35.2-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/binutils/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
bison	3.7.4-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/bison/bison.html	GPL-3.0-or-later (GNU General Public License v3.0 or later)
bsd-compat-headers	0.7.2-r3	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://alpinelinux.org	BSD-3-Clause (BSD-3-Clause "New" or "Revised" License)
build-base	0.5-r3	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://dev.alpinelinux.org/cgit/	MIT
busybox	1.32.1-r9	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://busybox.net	GPL-2.0-only (GNU General Public License v2.0 only)
ca-certificates	20220614-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://wiki.mozilla.org/CA	MPL-2.0 (Mozilla Public License, v2.0)
ca-certificates-cacert	20220614-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://wiki.mozilla.org/CA	MPL-2.0 (Mozilla Public License, v2.0)
cairo	1.16.0-r4	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://cairographics.org	LGPL-2.1 (GNU Lesser General Public License v2.1 only)
cairo-dev	1.16.0-r4	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://cairographics.org	LGPL-2.1 (GNU Lesser General Public License v2.1 only)
cmake	3.18.4-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://cmake.org	BSD-3-Clause-Clear (BSD-3-Clause Clear License)
coreutils	8.32-r2	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/coreutils/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
cryptsetup-dev	2.3.7-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://gitlab.com/cryptsetup/cryptsetup	GPL-2.0-or-later (GNU General Public License v2.0 or later)
curl	7.79.1-r2	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://curl.se	MIT
curl-dev	7.79.1-r3	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://curl.se	MIT
dev86	0.16.21-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://github.com/lkundrak/dev86/	GPL-2.0-or-later (GNU General Public License v2.0 or later)
dhcpcd	8.1.9-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://roy.marples.name/projects/dhcpcd/	BSD-2-Clause (BSD-2-Clause "Simplified" License)
diffutils	3.7-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/diffutils/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
dmidecode	3.3-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.nongnu.org/dmidecode/	GPL-2.0-or-later (GNU General Public License v2.0 or later)
dosfstools	4.1-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://github.com/dosfstools/dosfstools	GPL-3.0-or-later (GNU General Public License v3.0 or later)
doxygen	1.9.1-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.doxygen.nl	GPL-2.0-or-later (GNU General Public License v2.0 or later)
dtc	1.6.0-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://git.kernel.org/pub/scm/utils/dtc/dtc.git/	GPL-2.0-or-later (GNU General Public License v2.0 or later)
dtc-dev	1.6.0-r2	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://git.kernel.org/pub/scm/utils/dtc/dtc.git/	GPL-2.0-or-later (GNU General Public License v2.0 or later)
e2fsprogs	1.45.7-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	http://e2fsprogs.sourceforge.net	GPL-2.0-or-later (GNU General Public License v2.0 or later)
e2fsprogs-extra	1.45.7-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	http://e2fsprogs.sourceforge.net	GPL-2.0-or-later (GNU General Public License v2.0 or later)
elfutils-dev	0.182-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://sourceware.org/elfutils/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
elfutils-libelf	0.182-r1	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://sourceware.org/elfutils/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
ethtool	5.10-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://mirrors.edge.kernel.org/pub/software/network/ethtool/	GPL-2.0-only (GNU General Public License v2.0 only)
file	5.39-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.darwinsys.com/file/	BSD-2-Clause (BSD-2-Clause "Simplified" License)
findutils	4.8.0-r0	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://www.gnu.org/software/findutils/	GPL-3.0-or-later (GNU General Public License v3.0 or later)
flex	2.6.4-r2	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://github.com/westes/flex	BSD-2-Clause (BSD-2-Clause "Simplified" License)
g++	10.2.1_pre1-r3	https://github.com/lf-edge/eve/blob/master/pkg/alpine/mirrors/3.13/main	https://gcc.gnu.org	GPL-2.0-or-later (GNU General Public License v2.0 or later)
gawk

SW Components and Licensing