Skip to main content

TatML Software Bill of Materials (SBOM)

Overview

The TatML project includes a comprehensive Software Bill of Materials (SBOM) in SPDX 2.3 format (SBOM.spdx) that documents all components, dependencies, and licensing information for supply chain security and compliance.

Package Information

TatML v0.1.2

  • License: MIT License
  • Copyright: Copyright (c) 2025 TatML Project
  • Description: Tatting Markup Language - A domain-specific language for documenting tatting lace patterns

Dependencies

Runtime Requirements

  • Python 3.8+ (PSF-2.0 License)
    • Required for running TatML tools

Standard Library Modules

TatML uses only Python standard library modules - no external dependencies:

Module Purpose Used In
re
 Regular expressions Lexer tokenization
enum
 Enumerations Token types, validation levels
dataclasses
 Data structures AST nodes, configuration
typing
 Type hints All modules for type safety
abc
 Abstract base classes AST node hierarchy
pathlib
 File path handling File operations
math
 Mathematical functions SVG diagram generation

Core Components

TatML Implementation Files

  1. tatml_lexer.py - Tokenizer for TatML source code
    • Converts TatML text into tokens
    • Handles keywords, identifiers, operators, comments
  2. tatml_parser.py - Abstract Syntax Tree builder
    • Parses tokens into structured AST
    • Validates syntax and structure
  3. tatml_validator.py - Pattern validation engine
    • Checks for impossible tatting patterns
    • Validates thread continuity and joins
  4. tatml_formatter.py - Text output generator
    • Converts patterns to human-readable instructions
    • Supports detailed and compact formats
  5. tatml_diagram.py - SVG diagram generator
    • Creates visual representations of patterns
    • Pure Python SVG generation (no external libraries)

Security & Compliance

Zero External Dependencies

  • No third-party packages required
  • No network dependencies
  • No binary dependencies
    • Reduces supply chain attack surface

License Compliance

  • MIT License for all TatML components
  • PSF-2.0 License for Python standard library
  • Compatible with commercial and open source use

SBOM Format

  • SPDX 2.3 standard format
  • Machine-readable for automated compliance tools
  • Includes file checksums and relationships

SVG Generation Details

The diagram generator (tatml_diagram.py) creates SVG output using:

  • Pure Python string generation - no external SVG libraries
  • Math module for geometric calculations (ring positioning, arcs)
  • No image processing dependencies (PIL, Cairo, etc.)
  • No web dependencies (no external SVG renderers)

Verification

To verify the SBOM contents:

# Check Python version
python3 --version

# Verify no external dependencies
python3 -c "import sys; print('External packages:', [p for p in sys.modules if '.' not in p and p not in sys.stdlib_module_names])"

# Test TatML components
python3 -c "from tatml_lexer import TatMLLexer; print('✓ Lexer loads')"
python3 -c "from tatml_parser import TatMLParser; print('✓ Parser loads')"

Usage for Compliance

The SBOM can be used for:

  • Supply chain security assessments
  • License compliance audits
  • Vulnerability scanning (though TatML has minimal attack surface)
  • Dependency tracking in larger systems
  • Open source compliance reporting

Updates

The SBOM is updated with each TatML version release. Current SBOM covers:

  • TatML v0.1.2 with mock rings and picot variations
  • All current dependencies and components
  • MIT licensing for the entire project

For the latest SBOM, see SBOM.spdx in the project root.

Back to top