licensed
ort
| licensed | ort | |
|---|---|---|
| 1 | 3 | |
| 967 | 1,475 | |
| 0.1% | 1.0% | |
| 7.1 | 9.9 | |
| 13 days ago | 7 days ago | |
| Ruby | Kotlin | |
| MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
licensed
ort
-
Microsoft open sources Salus software bill of materials (SBOM) generation tool
> Do HN got a recommendation for other CLI based SBOM generators?
Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also a the lead of the SPDX Defects/Security Profile).
If people have questions on SBOMs, comparing SCA/SBOM tools or ORT - feel free to reach out to me https://github.com/tsteenbe/
ORT plug below ;-)
ORT is much more than a SBOM generator though, it's a cli/library that enables you to safely use, integrate, modify and redistribute third party software including FOSS.
You can use ORT to:
1. Generate CycloneDX or SPDX SBOMs for your software project
-
OPEN source alternative to whitesource
Depends if you are interested in both the license and security side of things. There are tools like ORT (https://github.com/oss-review-toolkit/ort) that are quite powerful but have a little learning curve. I also know about initiatives like OpenChain and Double Open (https://github.com/doubleopen-project/doubleopen-publications/blob/master/publication.md#double-open-landscape-survey) that have information available.
- OSS Review Toolkit: analyze dependencies of a project, download them, scan them for licenses, security advisories, and much more
What are some alternatives?
dependabot-core - 🤖 Dependabot's core logic for creating update PR's.
scancode-toolkit - :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
cargo-about - 📜 Cargo plugin to generate list of all licenses for a crate 🦀
renovate - Universal dependency automation tool.
licensee - A Ruby Gem to detect under what license a project is distributed.
dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
ThinkSharp.Licensing - Simple library with fluent API for creating and verifying signed licenses
barista - project barista - open source license and vulnerability management
tern - Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
awesome-open-source-licensing - Cool links, tools & papers related to Open Source Licensing
sbom-tool - The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.