Merge pull request #202 from aboutcode-org/improve-docs

CRAVEX-Docs: Improve docs for Getting Started purposes aboutcode-org/www.aboutcode.org#49

Author: DennisClark

docs/source/aboutcode-project-overview.rst

@@ -4,13 +4,45 @@
 AboutCode Project Overview
 ==========================
 
-The primary current AboutCode projects are:
+Primary AboutCode Projects
+--------------------------
 
 .. toctree::
    :maxdepth: 2
 
-   aboutcode-projects/scancode-toolkit-project
    aboutcode-projects/scancodeio-project
-   aboutcode-projects/scancode-workbench-project
    aboutcode-projects/vulnerablecode-project
+   aboutcode-projects/purldb-project
+   aboutcode-projects/scancode-toolkit-project
+   aboutcode-projects/scancode-workbench-project
+   aboutcode-projects/dejacode-project
+
+Supporting AboutCode Projects
+-----------------------------
+
+.. toctree::
+   :maxdepth: 2
+
+   aboutcode-projects/license-expression-project
+   aboutcode-projects/scancode-licensedb-project
+   aboutcode-projects/source-inspector-project
+   aboutcode-projects/python-inspector-project
+   aboutcode-projects/scancode-action-project
    aboutcode-projects/aboutcode-toolkit-project
+
+Getting Started
+---------------
+
+.. toctree::
+   :maxdepth: 2
+
+   getting-started/start-scanning-code
+
+   getting-started/manage-license-policies
+
+   getting-started/create-sboms
+
+   getting-started/consume-sboms
+
+   getting-started/cra-compliance
+

docs/source/aboutcode-projects/dejacode-project.rst

@@ -0,0 +1,33 @@
+.. _dejacode-project:
+
+DejaCode
+========
+
+`DejaCode <https://github.com/aboutcode-org/dejacode>`_: is a Cloud
+application server that automates open source license compliance and ensures
+software supply chain integrity. It is a comprehensive enterprise-level application,
+powered by `ScanCode <https://github.com/aboutcode-org/scancode-toolkit>`_,
+the industry-leading code scanner.
+
+* Run scans and track all the open source and third-party products and
+  components used in your software.
+* Apply usage policies at the license or component level,
+  integrate into ScanCode to ensure compliance.
+* Capture software inventories (SBOMs), generate compliance artifacts, and keep
+  historical data.
+* Ensure FOSS compliance with enterprise-grade features and integrations for DevOps
+  and software systems.
+* Scan a software package, simply by providing its Download URL, to get comprehensive
+  details of its composition and create an SBOM.
+* Load software package data into DejaCode with the integration for the open source
+  ScanCode.io and ScanCode Toolkit projects to create a product’s SBOM.
+* Track and report vulnerability tracking and reporting by integrating with the open
+  source VulnerableCode project.
+* Create, publish and share SBOM documents in DejaCode, including detailed attribution
+  documentation and custom reports in multiple file formats and standards, such as
+  CycloneDX and SPDX.
+
+Read more at: https://dejacode.readthedocs.io
+
+Get the code at: https://github.com/aboutcode-org/dejacode
+

docs/source/aboutcode-projects/license-expression-project.rst

@@ -0,0 +1,11 @@
+.. _license-expression-project:
+
+license-expression
+==================
+
+`license-expression <https://github.com/aboutcode-org/license-expression>`_:  is a
+comprehensive utility library to parse, compare, simplify and normalize license
+expressions (such as SPDX license expressions) using boolean logic.
+
+  - Read more at: https://github.com/aboutcode-org/license-expression
+  - Get the code at: https://github.com/aboutcode-org/license-expression/releases

docs/source/aboutcode-projects/purldb-project.rst

@@ -0,0 +1,26 @@
+.. purldb-project:
+
+PurlDB
+======
+
+`PurlDB <https://github.com/aboutcode-org/purldb>`_: is a set of
+tools to create and expose a database of purls (Package URLs). This project is
+sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ and
+nexB for https://www.aboutcode.org/
+
+The PurlDB tools include:
+
+* PackageDB that is the reference model (based on ScanCode toolkit) that contains
+  package data with PURL (Package URLs) being a first class citizen.
+* MineCode that contains utilities to mine package repositories
+* MatchCode that contains utilities to index package metadata and resources for
+  matching
+* MatchCode.io that provides package matching functionalities for codebases
+* ClearCode that contains utilities to mine Clearlydefined for package data
+* purldb-toolkit CLI utility and library to use the PurlDB, its API and various
+  related libraries.
+
+Read more at: https://purldb.readthedocs.io
+
+Get the code at: https://github.com/aboutcode-org/purldb
+

docs/source/aboutcode-projects/python-inspector-project.rst

@@ -0,0 +1,27 @@
+.. _python-inspector-project:
+
+python-inspector
+================
+
+`python-inspector <https://github.com/aboutcode-org/python-inspector>`_:
+is a collection of utilities to:
+
+- resolve PyPI packages dependencies
+
+- parse various requirements.txt files and setup.py files as input
+  for resolving dependencies.
+
+- parse various manifests and packages files such as
+  Pipfile, pyproject.toml, poetry.lock and setup.cfg and legacy and
+  current metadata file formats for eggs, wheels and sdist. These
+  have not been wired with the command line yet.
+
+- query PyPI JSON and simple APIs for package information
+
+It grew out of ScanCode-Toolkit to find and analyze PyPI archives and
+installed Python packages and their files.
+
+The goal of python-inspector is to be a comprehensive library
+that can handle every style of Python package layouts, manifests and lockfiles.
+
+ - Get the code at: https://github.com/aboutcode-org/python-inspector

docs/source/aboutcode-projects/scancode-action-project.rst

@@ -0,0 +1,10 @@
+.. _scancode-action-project:
+
+scancode-action
+===============
+
+`scancode-action <https://github.com/aboutcode-org/scancode-action>`_:  enables
+you to run ScanCode.io pipelines from your workflows.
+
+  - Read more at: https://github.com/aboutcode-org/scancode-action
+  - Get the code at: https://github.com/aboutcode-org/scancode-action/releases

docs/source/aboutcode-projects/scancode-licensedb-project.rst

@@ -0,0 +1,27 @@
+.. _scancode-licensedb-project:
+
+ScanCode LicenseDB
+==================
+
+`ScanCode LicenseDB <https://github.com/aboutcode-org/scancode-licensedb>`_:
+is a large free and open database of software licenses, in particular open-source
+software licenses, with over 2300 curated licenses texts and their metadata.
+
+LicenseDB is built from the ScanCode Toolkit license dataset. ScanCode Toolkit
+is a leading open source code scanner and license detection engine.
+
+LicenseDB is an essential reference license resource for license compliance and
+SBOMs. LicenseDB includes all the SPDX and OSI licenses together with an extended
+curated collection of other licenses and license metadata. These licenses are
+carefully reviewed and curated and continuously updated by an open community of
+contributors.
+
+LicenseDB is available as a web site at: https://scancode-licensedb.aboutcode.org/
+You can search the licenses by name, key and other attributes. The web site is updated
+daily by a GitHub action with updates from scancode-toolkit develop.
+
+LicenseDB is also available as a JSON or YAML API and a git repository
+making it easy to reuse and integrate in tools that need a database of reference
+software licenses.
+
+ - Get the code at: https://github.com/aboutcode-org/scancode-licensedb

docs/source/aboutcode-projects/source-inspector-project.rst

@@ -0,0 +1,11 @@
+.. _source-inspector-project:
+
+source-inspector
+================
+
+`source-inspector <https://github.com/aboutcode-org/source-inspector>`_:
+is a collection of utilities to inspect and analyze source code and collect interesting
+data using various tools such as code symbols, strings and comments.
+This is also a ScanCode-Toolkit plugin.
+
+ - Get the code at: https://github.com/aboutcode-org/source-inspector

docs/source/getting-started/consume-sboms.rst

@@ -0,0 +1,98 @@
+.. _consume-sboms:
+
+Use AboutCode to consume SBOMs from your suppliers
+==================================================
+
+You can use **ScanCode.io** to consume SBOMs from your suppliers. ScanCode.io will
+identify all the licenses associated with your codebase resources, highlighting the ones
+that need attention based on your policies. ScanCode.io also identifies and highlights
+software vulnerabilities.
+
+You can also use **DejaCode** to consume SBOMs from your suppliers, generally in the
+context of an SBOM that you intend to use in one of your own products.
+
+1. Install AboutCode Projects
+-----------------------------
+
+**Install ScanCode.io**
+
+https://scancodeio.readthedocs.io/en/latest/installation.html
+
+**Install DejaCode.**
+
+https://dejacode.readthedocs.io/en/latest/installation.html
+
+**Setup your own Dataspace in DejaCode**
+
+https://dejacode.readthedocs.io/en/latest/dataspace.html
+
+.. note::
+    Not ready to install your own instance of DejaCode? Consider taking a look at
+    the DejaCode public evaluation site to take a test drive, and if you have specific
+    requirements, you may also request a private SaaS evaluation dataspace.
+    See https://public.dejacode.com/account/register/
+
+Configure DejaCode to integrate with ScanCode.io. See
+
+https://dejacode.readthedocs.io/en/latest/application-settings.html#scancodeio
+
+**Install PurlDB**
+
+https://aboutcode.readthedocs.io/projects/PURLdb/en/latest/getting-started/install.html
+
+Configure DejaCode to integrate with your PurlDB instance. See:
+
+https://dejacode.readthedocs.io/en/latest/application-settings.html#purldb
+
+.. note::
+    Not ready to install your own instance of PurlDB? You can configure DejaCode to
+    integrate with the public version at https://public.purldb.io/
+
+**Install VulnerableCode**
+
+https://vulnerablecode.readthedocs.io/en/latest/installation.html#installation
+
+Configure Dejacode to integrate with your Vulnerablecode instance.
+
+https://dejacode.readthedocs.io/en/latest/dataspace.html#enable-vulnerablecodedb-service
+
+.. note::
+    Not ready to install your own instance of VulnerableCode? You can configure DejaCode
+    to integrate with the public version at https://public.vulnerablecode.io/
+
+
+2. Load Package Data from SBOMs to ScanCode.io
+----------------------------------------------
+
+Create a new Project in ScanCode.io .
+
+https://scancodeio.readthedocs.io/en/latest/user-interface.html#creating-a-new-project
+
+Load package data from one or more SBOMs to your Project using the load_sbom Pipeline.
+
+https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html#load-sbom
+
+Review the details in your ScanCode.io project.
+
+Export the results in the appropriate format to share with your team, such as CycloneDX
+and SPDX SBOMs.
+
+https://scancodeio.readthedocs.io/en/latest/output-files.html#output-files
+
+
+3. Import SBOM data to a DejaCode Product
+-----------------------------------------
+
+Create a new Product in DejaCode for comprehensive analysis and action.
+
+https://dejacode.readthedocs.io/en/latest/tutorial-1.html
+
+Load an SBOM to your Dejacode Product.
+
+https://dejacode.readthedocs.io/en/latest/tutorial-5-sboms.html#load-an-sbom-to-your-product
+
+Review and edit your Product in DejaCode. Enrich the data as needed.
+
+Generate Attribution and SBOMs from DejaCode Products.
+
+https://dejacode.readthedocs.io/en/latest/tutorial-5-sboms.html#tutorial-5-working-with-sboms-in-a-product

docs/source/getting-started/cra-compliance.rst

@@ -0,0 +1,11 @@
+.. _cra-compliance:
+
+Use AboutCode to support CRA compliance
+=======================================
+
+The AboutCode stack provides you with the tools you need to support CRA Compliance
+activities, including code scanning and analysis, license identification, vulnerability
+management, and SBOM generation.
+
+https://dejacode.readthedocs.io/en/latest/reference-3-cravex.html
+