Top 10 package-url Open-Source Projects

dependency-track

18 2,335 9.8 Java

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21

I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.
I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.
It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.
Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)

scancode-toolkit

4 1,979 9.6 Python

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!

Project mention: ScanCode: Scan license and packages, dependencies and origin information | news.ycombinator.com | 2023-08-11

InfluxDB

www.influxdata.com featured

Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
purl-spec

4 621 4.8

A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby

Project mention: Purl: A Simple Tool for Text Processing | news.ycombinator.com | 2024-04-12

vulnerablecode

2 473 8.6 Python

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
cdxgen

3 453 9.5 JavaScript

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962

Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05

Today, it gives me great pleasure to announce OWASP dep-scan v5. Like everyone, I was constantly frustrated with the amount of false positives generated by all Software Composition Analysis tools (including mine) and wanted to do something. I worked closely with a few colleagues (Caroline, Tim, Saket, and David) for a year to build the various capabilities that together form depscan v5.

meta-package-manager

13 438 9.5 Python

🎁 wraps all package managers with a unifying CLI

Project mention: Writing a Package Manager | news.ycombinator.com | 2023-08-23

Something like Meta Package Manager? https://github.com/kdeldycke/meta-package-manager

cyclonedx-maven-plugin

11 273 8.3 Java

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

Project mention: Do You Need an SBOM? | dev.to | 2024-05-06

There are a number of SBOM standards, but we'll focus on the CycloneDX standard here. CycloneDX grew out of the Open Web Application Security Project (OWASP), is licensed under Creative Commons Zero v1 (think a "public domain" license formulated to meet the laws of many countries), and is a widely known and respected standard.

SaaSHub

www.saashub.com featured

SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
cyclonedx-gradle-plugin

6 140 8.3 Java

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
scancode.io

1 88 9.4 Python

ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
cyclonedx-core-java

1 68 7.9 Java

CycloneDX SBOM Model and Utils for Creating and Validating BOMs

Project mention: Dependency inventory / dashboard for multiple maven projects | /r/java | 2023-06-08

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

package-url related posts

Purl: A Simple Tool for Text Processing

3 projects | news.ycombinator.com | 12 Apr 2024
Package URL Specification

1 project | news.ycombinator.com | 7 Nov 2023
Krita fund has 0 corporate support

7 projects | news.ycombinator.com | 5 Oct 2023
How to create SBOMs in Java with Maven and Gradle

4 projects | dev.to | 1 Nov 2022

Index

What are some of the best open-source package-url projects? This list will help you:

	Project	Stars
1	dependency-track	2,335
2	scancode-toolkit	1,979
3	purl-spec	621
4	vulnerablecode	473
5	cdxgen	453
6	meta-package-manager	438
7	cyclonedx-maven-plugin	273
8	cyclonedx-gradle-plugin	140
9	scancode.io	88
10	cyclonedx-core-java	68