This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

onot

SBOM-based open source license notice (OSS Notice) generation tool

    onot is a compliance tool that automatically generates open source license notices from SBOM (Software Bill of Materials) documents. It reads SPDX, CycloneDX, and Excel SBOMs and produces HTML, Text, Markdown, and PDF notices. License texts are bundled, so it runs fully offline (air-gapped) and your SBOM never leaves the machine. It was jointly developed by SK Telecom and Kakao and released as open source.

    onot desktop app preview

    Project Information

    Key Features

    Multiple SBOM Inputs

    • SPDX 2.x support (JSON, YAML, Tag-Value, RDF)
    • CycloneDX support (JSON, XML)
    • Excel support
    • Automatic input-format detection by extension and content

    Multiple Output Formats

    • HTML, Text, Markdown, and PDF notices
    • Korean and English notices (--lang)
    • User configuration such as company info (onot.yaml)

    Fully Offline Operation and Multiple Form Factors

    • Bundled license texts run in air-gapped environments (SBOM never leaves the machine)
    • Command-line interface (CLI)
    • Desktop app (Windows, macOS)
    • Local API sidecar

    Compliance Support

    • Automatic organization of license obligations
    • Copyright information aggregation
    • Indication of source code availability
    • Automatic determination of notice requirements

    Installation and Usage

    CLI Installation

    # Install from PyPI (add ,pdf for PDF output)
pip install "onot[spdx,cyclonedx,excel,api]"

# Or install from source
git clone https://github.com/sktelecom/onot.git
cd onot
pip install -e .

    Desktop App

    No setup required. Download the Windows or macOS installer from Releases, open the app, and drop in an SBOM file to preview and download a notice.

    Basic Usage

    # Generate HTML and Markdown notices from an SBOM file (input format auto-detected)
onot generate -i sbom.spdx.json -f html -f markdown --output-dir ./output

# List supported output formats
onot formats

# Check the version
onot version

    Main options

    • -f, --format: html, text, markdown, pdf (repeatable)
    • --lang: ko, en
    • --config: onot.yaml (company info, etc.)
    • --online: fetch missing license texts remotely (offline by default)
    • --stdout: write a single text format to standard output

    SBOM Document Example

    The following is an SPDX 2.3 JSON example. CycloneDX (JSON, XML) and Excel formats can be supplied the same way, and the input format is detected automatically.

    {
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "MyProject",
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-1",
      "name": "express",
      "versionInfo": "4.18.2",
      "licenseConcluded": "MIT",
      "copyrightText": "Copyright (c) 2009-2014 TJ Holowaychuk",
      "downloadLocation": "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
    }
  ]
}

    License

    Apache License 2.0 - Commercial use allowed

    Resources