NAME
SBOM::Raku - Raku specific SBOM functionality
SYNOPSIS
use SBOM::Raku;
say source-sbom("META6.json").JSON;
# {
# "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
# "bomFormat": "CycloneDX",
# "specVersion": "1.6",
# "version": 1,
# "metadata": {
# "timestamp": "2025-07-22T18:39:29.458604+02:00",
# ...
DESCRIPTION
The SBOM::Raku distribution provides logic for the creation and maintenance of SBOM (Software Bill Of Materials) files in the Raku Programming Language context.
SCRIPTS
source-sbom
$ source-sbom META6.json
Created 1 source SBOM
The source-sbom script expects at least one "META6.json" file to be specified. It will try to create source SBOM files for each of the "META6.json" files specified in tyeir sibling directory .META. If this is a newly created file, an attempt will be made to add it to the repository in which it is residing.
$ modernize-meta META6.json
Updated 1 META6.json file
The modernize-meta script expects at least one "META6.json" file to be specified. It will try to update the specified file(s) to match modern META specifications:
replace "depends" field with an array specification by a hash with extended specifications.
remove "build-dependencies" and "test-dependencies" and put any information in there into the "depends" hash
add "raku" field, take (and remove) "perl" field if there is any
remove "author" field: put any contents in the "authors" field array
remove empty array fields
add "support" field hash with at least a "bugtracker" field
move the "source-url" field to the "support" fueld hash
SELECTIVE IMPORTING
use SBOM::Raku <component>; # only import "component"
By default all utility functions are exported. But you can limit this to the functions you actually need by specifying the names in the use statement.
To prevent name collisions and/or import any subroutine with a more memorable name, one can use the "original-name:known-as" syntax. A semi-colon in a specified string indicates the name by which the subroutine is known in this distribution, followed by the name with which it will be known in the lexical context in which the use command is executed.
use String::Utils <component:comp>; # import "component" as "comp"
say comp |%args;
Apart from the subroutines provided by the SBOM::Raku distribution, it also possible to import the following subroutines from other packages, but which are used internally by SBOM::Raku:
| Package | importable subroutines |
|---|
| JSON::Fast | from-json, to-json |
| Identity::Utils | auth, build, meta, dependencies-from-meta, distribution-name, ecosystem, is-pinned, issue-tracker-url, raku-land-url, short-name, source-distribution-url, ver |
| String::Utils | after, before, describe-Version |
SUBROUTINES
authors
dd authors(from-json "META6.json".IO.slurp);
# (SBOM::Contact.new(|Map.new((:name("Jane Doe")))),)
The authors subroutine returns a List with SBOM::Contact objects for the authors of the JSON hash from a META6.json file.
component
say component("META6.json").JSON;
# {
# "type": "library",
# "mime-type": "text/plain",
# ...
my %meta-json = ...;
my $component = component(%meta-json);
The component subroutine returns a SBOM::Component for the given arguments.
The arguments can be either an IO::Path object (or a string that can be coerced to an IO::Path) to a file that contains Raku module meta information (usually called META6.json). Or a hash with arguments (in the META6.json format) to build an SBOM::Component object with.
component-hash
my %args := component-hash("META6.json");
# ... perform tweaks
my $component = SBOM::Component.new(|%args);
The component-hash subroutine returns a hash in the format needed to create an SBOM::Component object with, from a META6.json file (or a hash of that representation).
It's main intended use is to be able to tweak the arguments prior to making an SBOM::Component object.
my $contact = contact("Jane Doe");
The contact subroutine creates a unique SBOM::Contact object for the given string, providing from a cache if necessary.
licenses
dd licenses(from-json "META6.json".IO.slurp);
# (SBOM::License.new(|Map.new((:license(Map.new((:id("Artistic-2.0"))))))),)
The licenses subroutine returns a List with SBOM::License objects for the license(s) of the JSON hash from a META6.json file.
say metadata("META6.json").JSON;
# {
# "timestamp": "2025-07-22T18:52:04.686316+02:00",
# "lifecycles": [
# {
# "phase": "build"
# ...
my %meta-json = ...;
my $metadata = metadata(%meta-json);
The metadata subroutine returns a SBOM::Metadata for the given arguments.
The arguments can be either an IO::Path object (or a string that can be coerced to an IO::Path) to a file that contains Raku module meta information (usually called META6.json). Or a hash with arguments (in the META6.json format) to build an SBOM::Metadata object with.
my %args := metadata-hash("META6.json");
# ... perform tweaks
my $metadata = SBOM::Metadata.new(|%args);
The metadata-hash subroutine returns a hash in the format needed to create an SBOM::Metadata object with, from a META6.json file (or a hash of that representation).
It's main intended use is to be able to tweak the arguments prior to making an SBOM::Metadata object.
modernize-META6("META6.json"); # modernize in place
modernize-META6("META6.json", "modernized.json");
Read the META information at the path by the first positional argument and produce a modernized version at the path specified by the optional second argument (defaults to the first argument).
Optionally takes these named arguments, each taking a Callable to be executed when certain events take place:
| name | arguments |
|---|
| :changed | IO::Path of changed file |
| :error | IO::Path of file with error, error message |
This subroutine may have limited production value, but it's the workhorse of the modernize-meta script, so it's included here for convenience. For more info on the changes, see the documentation of the script.
produce-source-sbom
produce-source-sbom("META6.json"); # written to .META/SOURCE.cdx.json
produce-source-sbom("META6.json", ".META/SOURCE.cdx.json");
sub error($io, $error) { die "$io: $error }
produce-source-sbom("META6.json", :&error);
Read the META information at the path by the first positional argument and produce a source-sbom at the path specified by the optional second argument (defaults to ".META/SOURCE.cdx.json" in the same directory as the path of the first arguments).
If the file didn't exist before, it will be added to the repository if possible.
Optionally takes these named arguments, each taking a Callable to be executed when certain events take place:
| name | arguments |
|---|
| :created | IO::Path of created file |
| :updated | IO::Path of updated file |
| :error | IO::Path of file with error, error message |
This subroutine may have limited production value, but it's the workhorse of the source-sbom script, so it's included here for convenience.
Rakudo-component
my $comp = Rakudo-component;
Returns a SBOM::Component object representing the version of Rakudo is running.
source-sbom
say source-sbom("META6.json").JSON;
# {
# "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
# "bomFormat": "CycloneDX",
# "specVersion": "1.6",
# "version": 1,
# "metadata": {
# "timestamp": "2025-07-22T18:53:59.841267+02:00",
# ...
my %meta-json = ...;
my $sbom = source-sbom(%meta-json);
The source-sbom subroutine returns a SBOM::CycloneDX for the given arguments.
The arguments can be either an IO::Path object (or a string that can be coerced to an IO::Path) to a file that contains Raku module meta information (usually called META6.json). Or a hash with arguments (in the META6.json format) to build an SBOM::CycloneDX object with.
source-sbom-hash
my %args := source-sbom-hash("META6.json");
# ... perform tweaks
my $sbom = SBOM::CycloneDX.new(|%args);
The source-sbom-hash subroutine returns a hash in the format needed to create an SBOM::CycloneDX object with, from a META6.json file (or a hash of that representation).
It's main intended use is to be able to tweak the arguments prior to making an SBOM::CycloneDX object.
tar-sbom
my $sbom = tar-sbom("releases/SBOM-Raku-0.0.1.tar.gz");
The tar-sbom subroutine returns a SBOM::CycloneDX for the given path, which is expected to indicate a tar-file.
tar-sbom-hash
my %args := tar-sbom-hash("releases/SBOM-Raku-0.0.1.tar.gz");
# ... perform tweaks
my $sbom = SBOM::CycloneDX.new(|%args);
The tar-sbom-hash subroutine returns a hash in the format needed to create an SBOM::CycloneDX object with, from a tar-file that contains a META6.json file (or a hash of that representation). Apart from just creating the hash, it will also add crypto hashes for the tar-file to the component in the metadata.
It's main intended use is to be able to tweak the arguments prior to making an SBOM::CycloneDX object.
VM-component
my $comp = VM-component;
Returns a SBOM::Component object representing the value of $*VM that is currently set.
AUTHOR
Elizabeth Mattijsen liz@raku.rocks
Source can be located at: https://github.com/lizmat/SBOM-Raku . Comments and Pull Requests are welcome.
If you like this module, or what I’m doing more generally, committing to a small sponsorship would mean a great deal to me!
COPYRIGHT AND LICENSE
Copyright 2025 Elizabeth Mattijsen
This library is free software; you can redistribute it and/or modify it under the Artistic License 2.0.