blob: 0d40db04773b8ae2f1130c51814f8bb2da7feaed (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
*Logo courtesy of [@speasley](https://github.com/speasley)*
# Spandx 
A Ruby API for interacting with the https://spdx.org software license catalogue.
This gem includes a command line interface to scan a software project for the
software licenses that are associated with each dependency in the project.
`spandx` leverages an offline cache of software licenses for known dependencies.
The offline cache allows Spandx to perform an air gap friendly scan of software
projects.
### Supported project types
Spandx can work with following language's package managers. It utilises lock files generated by package managers to find dependencies.
| Language | Package Manager | Tested in |
| ------------ | --------------- | -------: |
| Ruby | bundler | 1.17.3 |
| Js | Npm | 6.13.4 |
| Js | Yarn | 1.19.1 |
| Python | Pypi(pipenv) | v2018.11.26 |
| C# | nuget | <> |
| Java | Maven | 3.6.3 |
| Php | Composer | 1.10.5 |
## Installation
Add this line to your application's Gemfile:
```ruby
gem 'spandx'
```
And then execute:
$ bundle
Or install it yourself as:
$ gem install spandx
## Usage
### Command line interface
The command line interface supports operations to fetch the latest pre-built cache.
See the help for each subcommand for more information on how to use the command.
```bash
モ spandx
Commands:
spandx help [COMMAND] # Describe available commands or one specific command
spandx scan LOCKFILE # Scan a lockfile and list dependencies/licenses
spandx version # spandx version
```
To scan a specific project file use the `scan` command:
```bash
モ spandx scan dotnet/application.sln
モ spandx scan java/pom.xml
モ spandx scan python/Pipfile.lock
モ spandx scan ruby/Gemfile.lock
```
To activate air gap mode use the `--airgap` option:
```bash
モ spandx scan dotnet/application.sln --airgap
モ spandx scan ruby/Gemfile.lock --airgap
```
Air gap mode assumes that an offline cache has been placed in `$HOME/.local/share/`.
To fetch the latest offline cache:
```bash
モ spandx pull
```
### Ruby API
To fetch the latest version of the catalogue data from [SPDX](https://spdx.org/licenses/licenses.json).
```ruby
catalogue = Spandx::Spdx::Catalogue.latest
catalogue.each do |license|
puts license.inspect
end
```
To load an offline copy of the data.
```ruby
path = File.join(Dir.pwd, 'licenses.json')
catalogue = Spandx::Spdx::Catalogue.from_file(path)
catalogue.each do |license|
puts license.inspect
end
```
## Development
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
## Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/spandx/spandx.
## License
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
