当前位置：网站首页>Inventory of existing open source software license compliance tools

Inventory of existing open source software license compliance tools

2022-06-09 12:10:00 【InfoQ】

｜ The source of the original text is ：The Openchain Reference Tooling Work Group

｜ translate ： Liu Tiandong .Ted, Kaiyuan society .ONES（ Open source strategy research group ）

｜ edit ： Huxinyuan

｜ Design ： Zhou Ying

introduction

Open source software has swallowed up the whole world , However, enterprises are still striving for effective compliance . Open source software is heterogeneous and reusable , Although this has positive significance for software development , But it poses a challenge to compliance . Compliance requires a variety of tools , These tools should preferably be combined into a workflow , To support some business and developer requirements . One of the requirements is ease of use in a modern development environment , That is, the code development cycle is getting shorter and shorter , New development achievements are being put into operation more and more quickly . Do that , Open source compliance tools will likely need to be integrated with development tools .

In the following report , We have listed some of these tools , Include their main licensing information 、 Website and functional summary based on project description . The purpose of this report is to delineate a wide range of open source tools that people may use to help maintain their open source software compliance . However , Although the report is comprehensive , But not exhaustive . The report includes free and open source software tools as well as some business tools . It also has a section on open source initiatives and development environments , Because these are also important ways to move towards automatic opening in line with open tools and open data .

This report will be complemented by ecosystem surveys and actual testing of the most popular open source tools . This report is Double Open Part of the first work package in the project . For more details, see  doubleopen.org .

Existing open source software license compliance tools

1、AboutCode Toolkit

「 Official website 」

：

AboutCode

https://www.aboutcode.org/

「 license 」

：

Apache-2.0

「 Abstract 」

：

AboutCode Toolkit and About Documentation provides a simple way to document the source of third-party software components you use in your projects 、 The license 、 Use and other important or interesting information . Besides , This tool can generate attribution statements , And identify the redistributable source code used in your project .

2、AboutCode Manager

「 Official website 」

：

AboutCode

https://www.aboutcode.org/

「 license 」

：

Apache-2.0

「 Abstract 」

：

AboutCode Manager Provides an advanced visual user interface , To help you quickly assess the impact of ScanCode Identified licenses and other notices , And record your conclusion about the valid license of a component .AboutCode Manager Is based on Electron Of , It's using nexB Of AboutCode The main desktop of the tool /UI Tools .

3、Apache Rat

「 Official website 」

：

Apache Rat

http://creadur.apache.org/rat/

「 license 」

：

Apache-2.0

「 Abstract 」

：

Apache Rat Is a release audit tool , Mainly for licenses . It USES Java To write , adopt Maven and Ant The plug-in runs on the command line .Rat It's extensible . It is Apache Creadur Part of the project .

4、Apache Tentacles

「 Official website 」

：

Apache Tentacles

http://creadur.apache.org/tentacles/

「 license 」

：

Apache-2.0

「 Abstract 」

：

Apache Tentacles Help reviewers by automatically interacting with the version library that contains the release artifacts .Apache Tentacles It simplifies the task of reviewing a version library composed of a large number of artifacts . It is to use Java Compiling , Run... From the command line .

5、Apache Whisker

「 Official website 」

：Apache Whisker

http://creadur.apache.org/whisker/

「 license 」

：Apache-2.0

「 Abstract 」

：Apache Whisker Assist assembled applications to maintain correct legal documentation .Whisker Sure

verification -- Check the quality of metadata for a distribution

Generate -- Generate legal documents from metadata

* Especially useful for complex composite applications .

6、Bang

「 Official website 」

：

Bang

https://github.com/armijnhemel/binaryanalysis-ng

「 license 」

：

AGPL-3.0

「 Abstract 」

：

Binary Analysis Next Generation, namely BANG, Is a tool for analyzing binary files . at present , Its main goal is to find out the contents of binary files very quickly , Such as firmware update , And make the information extracted from the content available for further analysis , Such as license compliance 、 Safety research or component analysis . It supports about 130 Different file formats .

7、Barista

「 Official website 」

：

Barista Open Source License and Vulnerability Management Tool

https://optum.github.io/barista/

「 license 」

：

Apache-2.0

「 Abstract 」

：

Developers focus on ：Barista Basically, it is a scanning tool , Used to detect open source components 、 Licenses and potential vulnerabilities . Automatically create and maintain open source bill of materials , Including multi-level dependencies .

Custom business rules ：Barista The administrator determines the responsibilities or tasks associated with each license detected , And according to the deployment mode 、 Applicable licenses and detected dependent known vulnerabilities , To assign the approval status of the project .

Cloud native architecture ：Barista It is designed for the cloud native deployment environment , Allows managed flexibility and on-demand expansion .

8、Bubbly

「 Official website 」

：

Bubbly

https://github.com/valocode/bubbly/

「 license 」

：

MPL 2.0

「 Abstract 」

：

Bubbly It is a release preparation platform , Help software teams confidently release software that meets the requirements . Get visibility into your publishing process through reporting and analysis , To reduce the risk , Improve the quality , Reduce cycle time , And promote continuous improvement .

9、CLA Assistant

「 Official website 」

：

CLA Assistant

https://github.com/cla-assistant/cla-assistant

「 license 」

：

Apache-2.0

「 Abstract 」

：

CLA Assistant By having contributors pull requests （pull request） To sign the contributor license agreement （CLA） To help deal with legal issues of contribution to the warehouse .CLA Can be stored as GitHub Of Gist file , Then with CLA Assistant Software libraries in / Organizing Links . The warehouse owner can review the for each release CLA List of signed users .

10、Cregit

「 Official website 」

：

Cregit

https://github.com/cregit/cregit

「 license 」

：

GPL-3.0

「 Abstract 」

：

Cregit Can identify contributors to the source code . Of a source file Cregit The version has two interactive features .

Mouse movement ： You will get an add this token （token） A summary of the information submitted . The message is

its commitid

its git-author（ The submitted Author Value of field ）

its git-author-date（ The submitted Author Date Value of field ）.

Summary log submitted

Left click on a token （token）： Will open a new window , Show （ stay GitHub in ） Details of the submission . You can keep this window open , It will constantly reload the file .

11、Deltacode

「 Official website 」

：

AboutCode

https://www.aboutcode.org/

「 license 」

：

Apache-2.0

「 Abstract 」

：

DeltaCode Allows you to easily compare a package 、 Components 、 Two versions of the code base or product ScanCode scanning , To quickly identify possible changes , The focus is on identifying license changes .DeltaCode Report matching files , And provide a score and a list of factors that affect the score . You can use DeltaCode and ScanCode To identify and track changes between licenses and releases in open source or third-party packages or components .

12、Eclipse SW360

「 Official website 」

：

Eclipse SW360

https://projects.eclipse.org/projects/technology.sw360

「 license 」

：

EPL-1.0

「 Abstract 」

：

Is a software catalog application , It aims to provide a centralized sharing place for the information of software components used by an organization . By providing independent background services for different tasks and a group of portlets, It is designed to be succinctly integrated into the existing infrastructure related to the management of software artifacts and projects . It has connections with external systems （ Such as code scanning tools ） Interactive connectors . up to now , The project has not yet provided download information .

13、Eclipse SW360antenna

「 Official website 」

：

Eclipse SW360

https://projects.eclipse.org/projects/technology.sw360.antenna

「 license 」

：

EPL-2.0

「 Abstract 」

：

Eclipse SW360antenna Is a process tool that can automate your open source license compliance as much as possible . in the final analysis , This is for your project

Collect all compliance related data .

Process this data and warn if there are any issues related to license compliance , as well as

Generate a set of compliance artifacts （ Source code package 、 Disclosure documents 、 The report ）

14、Fossology

「 Official website 」

：

Fossology

https://www.fossology.org/

「 license 」

：

GPL-2.0

「 Abstract 」

：

Fossology It is used for license 、 Tools for copyright and export control scanning . Just one click , You can generate a  SPDX file , Or one that contains all your software copyright notices ReadMe file . It provides a Web UI And a database , For compliance workflow . To scan , The software package must be uploaded to the server . The scanners provided are Monk、Nomos and Ninka. It has version control over scanned packages , So when scanning for newer versions of previous packages , Only newly changed files are rescanned .

15、FOSSLight

「 Official website 」

：

FOSSLight

https://fosslight.org/

「 license 」

：

AGPL-3.0 And others

「 Abstract 」

：

FOSSLight Is a comprehensive system that can effectively handle the open source compliance process . It provides .

Compliance workflow ： It can handle open source compliance workflows .

Compliance center ： You can manage everything about open source compliance , Such as license , Vulnerabilities and others .

Extensibility ： It can use additional functions （ Include FOSSLight Scanner or other plug-ins ）.

16、LDBCollector

「 Official website 」

：

LDBCollector

https://github.com/maxhbr/LDBcollector

「 license 」

：

BSD-3-Clause

「 Abstract 」

：

A small application , It collects open source software license metadata and merges it .

17、License Compatibility Checker

「 Official website 」

：

license-compatibility-checker

https://github.com/HansHammel/license-compatibility-checker#readme

「 license 」

：

MIT

「 Abstract 」

：

according to SPDX standard , Check npm Rely on the package.json License compatibility . This project claims to be an ongoing work , But a simple comparison of the licenses in the package has been given , And explain the extent of the license （ Loose Permissive > Weakly protected Weakly Protective > Strongly Protective Strongly protected > Network Protective Network protected ）, And use a color chart to show potential incompatibilities .

18、Licensee.js

「 Official website 」

：

Licensee.js

https://github.com/jslicense/licensee.js

「 license 」

：

Apache-2.0

「 Abstract 」

：

Licensee.js Is a command line tool , Used to check against rules npm License metadata that the package depends on . It USES SPDX License expression and whitelist data to capture software packages under licenses different from the whitelist .

19、Ninka

「 Official website 」

：

Ninka

http://ninka.turingmachine.org/

「 license 」

：

GPL-2.0

「 Abstract 」

：

Ninka Is a lightweight source code license identification tool . It is based on sentences , It also provides a simple way to identify the open source license in the source code file . It can identify dozens of different licenses （ And their variants ）.

20、Opossum Tool

「 Official website 」

：

Oposssum Tool

https://github.com/opossum-tool

「 license 」

：

Apache-2.0

「 Abstract 」

：

A lightweight application , Open source license compliance for auditing and inventorying large code bases .

OpossumUI Our development goal is to build a tool to manage and combine open source compliance data from different sources . Although the existing software compliance analysis tools can provide good information , However, due to the improvement of detection rate , The use of multiple such tools often results in large amounts of data . Even if you can merge results and filter noise through automatic tools , But the final manual modification is often necessary . therefore ,OpossumUI The birth of . A lightweight application , Used to review compliance information for large code bases .OpossumUI Is a tool for performing the following tasks ：

Discover the open source software used in the application .

Review permit .

Generate reports from source code scans .

21、OSS Attribution Builder

「 Official website 」

：

OSS Attribution Builder

https://github.com/amzn/oss-attribution-builder

「 license 」

：

Apache-2.0

「 Abstract 」

：

OSS Attribution Builder Is a website to help teams create property files for software products .

22、OSS Discovery by OpenLogic

「 Official website 」

：

OSS Discovery

http://ossdiscovery.sourceforge.net/

「 license 」

：

GPL-3.0

「 Abstract 」

：

OSS Discovery You can find open source software embedded in your application and installed on your computer . It is a scanning tool , Can give human readable and machine readable results .

23、OSS Review Toolkit ORT

「 Official website 」

：

ORT

https://github.com/heremaps/oss-review-toolkit

「 license 」

：

Apache-2.0

「 Abstract 」

：

Verify compliance with FOSS licenses by examining source code and dependencies . It works by analyzing source code dependencies , Download the dependent source code , Scan license information for all source code , And summarize the results . form ORT The different tools are designed to have a minimal command line interface （ For programming ） The library of （ For script use ）. at present , The report format is Excel form 、NOTICE file 、 static state HTM L and Web App.

24、OSSPolice

「 Official website 」

：

OSSPolice

https://github.com/osssanitizer/osspolice

「 license 」

：

GPL-3.0

「 Abstract 」

：

OSSPolice It is a risk assessment service for developers , It can quickly identify potential free software license violations and known n-day Security vulnerabilities .

25、Quartermaster Project QMSTR

「 Official website 」

：

QMSTR

https://qmstr.org/

「 license 」

：

GPL-3.0

「 Abstract 」

：

Quartermaster It is an extension of a set of command line tools and build system , It analyzes software builds , In order to create FOSS Compliance documents and support compliance decisions .Quartermaster Run adjacent to the software build process . A master process collects information about the software build . Once the build is complete , The main process will execute some analysis tools , Finally, there are some reporters . All modules are executed in the context of the main process , Not on the build machine . The master station transports the dependencies of all modules , Without affecting the building of the customer's file system （ It runs in a container ）.

26、ScanCode.io and ScanPipe

「 Official website 」

：

ScanCode.io

https://scancodeio.readthedocs.io/en/latest/introduction.html#

「 license 」

：

Apache-2.0

「 Abstract 」

：

ScanCode.io It's a server , For software composition analysis （SCA） The process is scripted and automated , To identify any open source components in the application code base and their license compliance data .ScanCode.io It can be used in a variety of use cases , Such as Docker Container and virtual machine composition analysis , And other applications .

ScanPipe Is a developer friendly framework and application , Help software analysts and engineers build and manage real-life software composition analysis projects , As a script pipeline .

ScanPipe It provides a unified framework for implementing and organizing the infrastructure required for these software composition analysis projects .

27、ScanCode Toolkit

「 Official website 」

：

ScanCode

https://www.aboutcode.org/

「 license 」

：

Apache-2.0

「 Abstract 」

：

ScanCode It's a set of command line tools , You can reliably scan for licenses in your code base 、 Copyright 、 Package listings and direct dependencies, as well as other interesting source and license information found in source and binary code files .ScanCode Provide comprehensive scan results , You can save it as JSON、HTML、CSV or SPDX. As a return JSON Command line application for ,ScanCode Easily integrated into code analysis pipelines and CI/CD in .

28、SCANOSS

「 Official website 」

：

scanoss.com

https://www.scanoss.com/

「 license 」

：

GPL-2.0-or-later

「 Abstract 」

：

SCANOSS Is the first free and open source SCA Platform and open data OSS The knowledge base . It's in SPDX and CycloneDX In the implementation of SBOM Generate , And in the code snippet 、 Detect the existence of open source at the file and component level . The central component is based on OpenAPI The standard RESTful API. It provides reference code for different languages and integration with other tools . adopt SCANOSS, You can implement components in any tool 、 File and fragment matching . The common knowledge base is called OSSKB, Can be in oskb.org Found on the . Scanning can be done safely and anonymously .

29、SPDX Tools

「 Official website 」

：

SPDX Tools

https://spdx.org/tools

「 license 」

：

Apache-2.0

「 Abstract 」

：

Only one download is required , A unified SPDX Workgroup tools can provide translations 、 Compare and verify functions . The tool is a Java Command line tools , It has the following functions ：

TagToSpreadsheet - Convert an input file in label format to an output file in spreadsheet

TagToRDF - Convert a label format input file to RDF Output file in format

RdfToTag - Will a RDF Format input file into a label format output file

RdfToHtml - Will a RDF Format of the input file into a HTML Web page output file

RdfToSpreadsheet - Will a RDF Format input file into a spreadsheet format output file

SpreadsheetToRDF - Convert a spreadsheet input file to RDF Output file in format

SpreadsheetToTag - Convert a spreadsheet input file to a label format output file

SPDXViewer - Display a SPDX Document input file （ label / Value or RDF Format ）.

CompareMultipleSpdxDocs - Compare multiple SPDX file （ label / Value or RDF Format ）, And output to spreadsheet .

CompareSpdxDocs - Compare the two SPDX file （ To label / Value or RDF Format ）.

GenerateVerificationCode - Generate a verification code from a file directory .

30、SPDX Maven Plugin

「 Official website 」

：

SPDX Maven Plugin

https://github.com/spdx/spdx-maven-plugin

「 license 」

：

Apache-2.0

「 Abstract 」

：

SPDX Maven The plug-in is Maven A plug-in for , by POM The artifacts described in the file are generated SPDX（ Software package data exchange Software Package Data Exchange） file .

31、TraceCode toolkit

「 Official website 」

：

AboutCode

https://www.aboutcode.org/

「 license 」

：

Apache-2.0

「 Abstract 」

：

TraceCode Toolkit Help you determine which components are actually distributed or deployed for your product . This is the basic information to determine your open source license obligations , Because many are triggered through distribution or deployment .TraceCode Toolkit It is a tool for analyzing build and tracking execution , So you can learn which files are built into binaries and eventually deployed in your distributed software .

32、Tern

「 Official website 」

：

Tern

https://github.com/vmware/tern

「 license 」

：

BSD-2-Clause

「 Abstract 」

：

Tern It's a use. Python Package checking tool for containers written by .Tern It is an inspection tool , Metadata for finding packages installed in the container image . It does this in two steps .

It USES overlayfs To mount the first file system layer in the container image

then , It's in chroot Execution in environment " The command library " The script in the , To collect information about the packages installed in this layer

Based on this information , It continues with the steps for the other layers in the container image 1 and 2 Iteration .

Once that is done , It will generate reports in different formats . The default report is a rough explanation of which layers bring which software components . If a Docker file , Then it will also provide Docker Which lines in the file are used to create these layers .

33、Vulnerability Assessment Tool

「 Official website 」

：

Vulnerability Assessment Tool

https://github.com/SAP/vulnerability-assessment-tool

「 license 」

：

Apache-2.0

「 Abstract 」

：

The open source vulnerability assessment tool supports software development organizations to safely use open source components in the application development process . The tool analyzes Java and Python Applications , To detect whether they rely on open source components with known vulnerabilities , Collect information about executing fragile code in a specific application context 5 evidence （ Through a combination of static and dynamic analysis techniques ）, And support developers to reduce this dependency . therefore , It solves OWASP Ten safety risks A9, That is, components that use known vulnerabilities , This is often the root cause of data leakage .

Acknowledgement

An overview of the tool is provided by  「doubleOpen Overview 」 Derivative works .doubleOpen Overview Copyright belongs to doubleOpen all , And in 「 CC-BY-4.0」  Under the terms of .doubleOpen Overview And this list will be synchronized . If you find anything new based on OSS Our compliance tools , Please be there. doubleOpen repo Or our Github repo Add it to . Please help us improve and perfect the license compliance information of the currently available open source software tools .