ort
orthw
ort | orthw | |
---|---|---|
3 | 1 | |
1,495 | 11 | |
1.3% | - | |
9.9 | 5.9 | |
5 days ago | 29 days ago | |
Kotlin | Shell | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ort
-
Microsoft open sources Salus software bill of materials (SBOM) generation tool
> Do HN got a recommendation for other CLI based SBOM generators?
Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also a the lead of the SPDX Defects/Security Profile).
If people have questions on SBOMs, comparing SCA/SBOM tools or ORT - feel free to reach out to me https://github.com/tsteenbe/
ORT plug below ;-)
ORT is much more than a SBOM generator though, it's a cli/library that enables you to safely use, integrate, modify and redistribute third party software including FOSS.
You can use ORT to:
1. Generate CycloneDX or SPDX SBOMs for your software project
-
OPEN source alternative to whitesource
Depends if you are interested in both the license and security side of things. There are tools like ORT (https://github.com/oss-review-toolkit/ort) that are quite powerful but have a little learning curve. I also know about initiatives like OpenChain and Double Open (https://github.com/doubleopen-project/doubleopen-publications/blob/master/publication.md#double-open-landscape-survey) that have information available.
- OSS Review Toolkit: analyze dependencies of a project, download them, scan them for licenses, security advisories, and much more
orthw
-
Microsoft open sources Salus software bill of materials (SBOM) generation tool
6. Create a source code archive for your software project, including its dependencies to comply with certain license or have your own copy as nothing on the internet is forever
ORT is being built by Open Source Program Office for several years who got frustrated with the state of SCA/SBOM tools not being able to support license compliance properly and the 30+ build tools you can find in a lot of large organizations.
To get started with ORT on your local machine I recommend using https://github.com/oss-review-toolkit/orthw/.
What are some alternatives?
scancode-toolkit - :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
renovate - Home of the Renovate CLI: Cross-platform Dependency Automation by Mend.io
barista - project barista - open source license and vulnerability management
tern - Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
sbom-tool - The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
fossology - FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.
spdx-license-matcher - A tool to match license text with SPDX license list using a an algorithm with finds close matches. It follows SPDX Matching guidelines to keep the substantial text as well as ignore the replaceable text for matching purposes.
licensed - A Ruby gem to cache and verify the licenses of dependencies
fosslight - FOSSLight Hub : Integrated management web-service for Open Source Compliance Process
awesome-open-source-licensing - Cool links, tools & papers related to Open Source Licensing