SW360 is a software component catalogue application designed to provide a central hub for managing software components and their metadata.
Visit the official project homepage for more information.
A software component catalogue application.
SW360 is a Backend server with a REST API to maintain your projects / products and the software components within.
It can manage SPDX files for maintaining the license conditions and maintain license information.
It is comprised of one frontend (portal) part, backend (services) part and additionally a REST API:
- Backend: Tomcat-based thrift services for being called by different applications.
- Database: we store software components and metadata about them in CouchDB.
- Rest: this REST API provides access to project resources for external integration.
The reference platform is the Ubuntu server 22.04 (which is an LTS version).
This is a multi module maven file. please consider that we have the following modules:
- backend: For the thrift based services.
- libraries: For general stuff that is reused among the above, for example, couchdb access.
- scripts: Auxiliary scripts to help build, deploy and config system
- rest: For the REST API which contains an authorization and resource server.
If you run in any issues with documentation or software, please be kind and report to our GitHub issues area.
It is recommended to use the Docker-based setup, described here.
If you intend to install in a bare metal machine or use in your own virtualized system, bare metal instructions are provided here.
SW360 exposes several security flags that should be reviewed before production deployment.
HTTP Basic auth is disabled by default in production profiles. It can be enabled for local development and testing.
| Deployment | How to enable |
|---|---|
| Docker | Set SW360_SECURITY_HTTP_BASIC_ENABLED=true in config/sw360/.env.backend |
| Bare metal | Set sw360.security.http-basic.enabled=true in application.yml (or pass as JVM arg) |
| Spring profile | Activate the prod profile; it sets the flag to false. Omit prod for dev defaults. |
⚠️ Do not enable Basic auth in production. Use OAuth2/JWT (built-in authorization server or Keycloak) or API tokens instead.
| Profile | Purpose |
|---|---|
| (none / default) | Development defaults — Basic auth enabled, permissive settings |
prod |
Production overrides — Basic auth disabled |
Activate the production profile with:
# As JVM argument
-Dspring.profiles.active=prod
# Or as environment variable
export SPRING_PROFILES_ACTIVE=prodIf you intend to develop over SW360, few steps are needed as equal you need have base requirements
- Base build requirements
- Java 21
- Maven 3.8.7
- pre-commit
- thrift 0.20.0 runtime
- Python environment ( to pre-commit ) - SW360 use Eclipse formatting rules through Spotless maven plugin
If you can't install thrift 0.20 runtime, you will need the following requirements:
- C++ dev environment
- cmake Then run the current build script:
./third-party/thrift/install-thrift.shStep 1: Prepare source code
git clone https://github.com/eclipse-sw360/sw360.git
cd sw360
pip install pre-commit
pre-commit installPlease note that even partial or module-level Maven builds require deploy-related properties to be set due to enforced build rules.
At a minimum, the base.deploy.dir property must be provided pointing towards
your Tomcat's home directory, otherwise the build will fail.
This applies even when building individual modules (for example, libraries).
Step 2: Build the code
mvn package -P deploy \
-Dhelp-docs=false \
-DskipTests \
-Dbase.deploy.dir=$TOMCAT_HOMEIf you want to run the tests, we need start a local couchdb server and Docker is required:
SPDX-License-Identifier: EPL-2.0
This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which is available at https://www.eclipse.org/legal/epl-2.0/