README updates

SamuraiAku · Sep 11, 2024 · 08c3b90 · 08c3b90
1 parent c9c656f
commit 08c3b90
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -198,7 +198,7 @@ But in everyday use, very few people actually download from there. Instead Pkg d
 
 Also not every analyst would find it useful to be directed to the repo and then be expected to figure out how to use git to extract the correct version. A straight download location could be easier for them.
 
-The user can change the DownloadLocation to the package server through the use of the keyword use_packageserver when creating a spdxCreationData object (see example below)
+The user can change the DownloadLocation to the package server through the use of the keyword `use_packageserver` when creating a spdxCreationData object (see example below)
 
 ```julia
 spdxCreationData(use_packageserver= true)
@@ -213,6 +213,20 @@ If a valid package server URL cannot be determined, then the repository link wil
 
 In all cases, the repository URL is documented in the HomePage field of the package description.
 
+### Find the source code repository for artifacts used in JLLs
+
+In the general case, it is impossible to find the source code of an artifact solely from the Julia package it is used in.
+
+However probably the majority of artifacts in use today are wrapped inside Julia Linked Library (JLL) packages generated by [BinaryBuilder.jl](https://github.com/JuliaPackaging/BinaryBuilder.jl). This tool builds the artifacts using [Yggdrasil](https://github.com/JuliaPackaging/Yggdrasil) the Julia community build tree. BinaryBuilder then wraps the artifact inside an autogenerated Julia Linked Library (JLL) package.  That registered package contains known sentence patterns and hyperlinks in its README back to the branch in Yggdrasil that generated the artifacts. PkgToSoftwareBOM can extract this information from the README and create an entry in the SBOM showing that the artifact was GENERATED_FROM Yggdrasil.
+
+The user can optionally invoke this capability through the use of the keyword `find_artifactsource` when creating a spdxCreationData object (see example below)
+
+```julia
+spdxCreationData(find_artifactsource= true)
+```
+
+If PkgToSoftwareBOM cannot determine the source of an artifact, an entry will not be created.
+
 ## How does PkgToSoftwareBOM support mulitple registries?
 
 The majority of users and developers only ever use the General registry and that is what PkgToSoftwareBOM defaults to to find package information.