Skip to content

Latest commit

 

History

History
170 lines (109 loc) · 6.98 KB

README.md

File metadata and controls

170 lines (109 loc) · 6.98 KB

logo

OpossumUI: A compliance audit/review frontend.

OpossumUI is a tool to

  • discover open source software used in applications.
  • review licenses.
  • generate reports from an open source code scan.

Features

  • use of multiple scanners (open source and/or proprietary).
  • currently integrates with OSS Review Toolkit, FOSSLight and ScanCode.
  • unified interface for browsing scanner evidence.
  • simple navigation through the codebase’s file tree.
  • create attributions for individual files or groups.

License REUSE status GitHub release (latest by date) build workflow build workflow

screenshots_of_the_ui

Use Cases

  • A team performing audits for open source license compliance.
  • Producing legal docs such as inventory (BOMs) and license conflicts that need to be remediated.
  • OpossumUI can be used to visually inspect (QA) existing attributions, identify any false positives or incorrect attributions by manual selection and improve existing data.
  • To aid M&A due diligence activities. OpossumUI can be used by acquirers for blind audits of intellectual property, since only compliance-relevant metadata is exposed in the app without the need to ever share the source code.

Motivation

OpossumUI was developed with the goal to build a tool for managing and combining open source compliance data from different sources. While existing analysis tools for software compliance can provide good information, using multiple of such tools often leads to huge amounts of data due to an increased detection rate. Even though the results can be merged and noise can be filtered through automatic tools, final manual revisions are often necessary. So, OpossumUI was born: A light-weight app for review of compliance information for large codebases.

Integration in the ecosystem

To integrate well with different analysis tools, different converters are provided to generate input files in json format that can be opened with OpossumUI. After completing the review process with OpossumUI, the information can be outputted in different formats.

integration

Getting Started

Input files

To work with OpossumUI, an input file can be opened to visualize and edit license compliance data of a project. Input files typically have the file ending .opossum, while opening the deprecated file format that has the file ending .json is still supported. In this case the app will inform the user that the deprecated file format is automatically converted to the new file format.

Generating input files

Result files from ScanCode and SCANOSS can be converted into OpossumUI input files using opossum-tool/opossum.lib.hs. This tool can also generate OpossumUI input files from spdx and merge several OpossumUI input files.

Result files (yaml / json) from the OSS Review Toolkit can be converted into OpossumUI input files via a reporter. It uses metadata from the analyzer as well as scan results from the scanner. The implementation is in oss-review-toolkit/ort and the new reporter output is called Opossum.

For details of the file format, see file formats.

How to get and run OpossumUI

Check out our short getting started video:

click to play video

Get the latest release

Download the latest release for your OS from GitHub.

Running the app

Linux

AppImage

Run the executable OpossumUI-for-linux.AppImage.

Note that for ubuntu versions 22.04+ you will run into a sandboxing issue with app images (see this electron github issue for details). This can be circumvented by opening the application with the --no-sandbox flag:

./OpossumUI-for-linux.AppImage --no-sandbox

snap

Install the snap file locally using

snap install ./OpossumUI-for-linux.snap --dangerous

Open OpossumUI via the start menu of your distribution (should be in the development category) or by running

opossum-ui

from the command line

macOS

Run OpossumUI in OpossumUI-for-mac.zip.

Windows

Run OpossumUI-for-win.exe to install the OpossumUI. Then open OpossumUI from the start menu.

Working with OpossumUI

Check out our short video, which presents a basic workflow.

For an in-depth explanation, please read the Users's Guide.

Exporting data

In addition to the default output file, OpossumUI provides the following export options.

Exporting SPDX documents

An SPDX document can be exported in the json and the yaml format through the ExportSPDX (yaml) and SPDX (json) option in the File menu.

Exporting BOM-like CSV files

These can be exported through the ExportCompact / Detailed component list option in the File menu. Both component list files contain a list of all attributions that are present in the project, including package name, version, copyright, license name and URL. In addition, the detailed component list is more comprehensive and includes the PURL and its subcomponents, as well as the license texts.

Exporting follow-up document

This can be exported through the ExportFollow-Up option in the File menu. Similar to the component list, it contains attributions with licenses flagged for legal review through the Follow-Up checkbox in the UI.

Limitations

SPDX License Expressions are only partially supported at the moment. Currently, a license expression can only be entered as license name of a package. The full license text of the different licenses (e.g. GPL-2.0-only OR BSD-2-Clause) that apply should also be entered in the license text field.

Developer's guide

Contributions to the project are welcome. See Contributing.

Licensing

OpossumUI is licensed under Apache-2.0, documentation is licensed under CC0-1.0. For contributions, we use the Developer Certificate of Origin (DCO) process via sign-offs in every commit, to help ensure licensing criteria are met.