fosslight-scanner 2.1.21

FOSSLight Scanner

FOSSLight Scanner

Analyze at once for Open Source Compliance.

FOSSLight Scanner performs open source analysis after downloading the source by passing a link that can be cloned by wget or git. Instead, open source analysis can be performed for the local source path. The output result is generated in FOSSLight Report format.

• FOSSLight Prechecker Check whether the source code's copyright and license writing rules are complied with.
• FOSSLight Source Scanner Extract license and copyright in the source code using ScanCode.
• FOSSLight Dependency Scanner Extract dependency and OSS information from the package manager's manifest file.
• FOSSLight Binary Scanner Find binary and print OSS information.

Contents

Please refer to https://fosslight.org/fosslight-guide/scanner/ for the FOSSLight Scanner User Guide.

• FOSSLight Scanner
  • Contents
  • 📋 Prerequisite
  • 🎉 How to install
  • 🚀 How to run
    • Parameters
    • Ex 1. Local Source Analysis
    • Ex 2. Local Source Analysis with Path to Exclude
    • Ex 3. Download Link and analyze
    • Ex 4. Compare the BOM of two FOSSLight reports
  • 📁 Result
  • 🐳 How to run using Docker
  • 👏 How to report issue
  • 📄 License

📋 Prerequisite

FOSSLight Scanner needs a Python 3.10+.

🎉 How to install

It can be installed using pip3. It is recommended to install it in a virtualenv environment.

pip3 install fosslight_scanner

🚀 How to run

FOSSLight Scanner is run with the fosslight command.

fosslight [Mode] [option1] <arg1> [option2] <arg2>...

Parameters

Mode

        all                     Run all scanners(Default)
        source                  Run FOSSLight Source
        dependency              Run FOSSLight Dependency
        binary                  Run FOSSLight Binary
        prechecker              Run FOSSLight Prechecker
        compare                 Compare two FOSSLight reports

Options:

        -h                      Print help message
        -p <path>               Path to analyze (ex, -p {input_path})
                                 * Compare mode input file: Two FOSSLight reports (supports excel, yaml)
                                   (ex, -p {before_name}.xlsx {after_name}.xlsx)
        -w <link>               Link to be analyzed can be downloaded by wget or git clone
        -f <format>             FOSSLight Report file format (excel, yaml)
                                 * Compare mode result file: supports excel, json, yaml, html
        -o <output>             Output directory or file
        -c <number>             Number of processes to analyze source
        -e <path>               Path to exclude from analysis (files and directories, pattern matching is available)
                                 * IMPORTANT: Always wrap patterns in quotes("") to avoid shell expansion.
                                   Example) fosslight -e "test/abc.py" "*.jar" "test/"
        -r                      Keep raw data
        -t                      Hide the progress bar
        -v                      Print FOSSLight Scanner version
        -s <path>               Path to apply setting from json file (check format with 'setting.json' in this repository)
                                 * Direct cli flags have higher priority than setting file
                                   (ex, '-f yaml -s setting.json' - result file extension is .yaml)

• Refs.
  • Additional arguments for running dependency analysis. See the FOSSLight Dependency Guide for instructions.
  • In the case of DB URL, it is the DB connection information to be used in FOSSLight Binary.
• Pattern matching guide for the -e option
  • ⚠️ Make sure to use double quotes ("") when entering values.
    • Example) fosslight -e "test/abc.py" "*.jar" "test/"
  • ⚠️ File names and extensions are case-sensitive, so please enter them exactly as intended.

Ex 1. Local Source Analysis

fosslight all -p /home/source_path -d "-a 'source /test/Projects/venv/bin/activate' -d 'deactivate'"

If using additional flags like -d, document them in Options section or link to related guide.

Ex 2. Local Source Analysis with Path to Exclude

fosslight all -p /home/source_path -e "temp_dir" "src/temp.py"

Ex 3. Download Link and analyze

fosslight all -o test_result_wget -w "https://github.com/LGE-OSS/example.git"

If you want to analyze private repository, set your GitHub token like below.

fosslight all -w "https://my_github_token@github.com/Foo/private_repo"

Ex 4. Compare the BOM of two FOSSLight reports

fosslight compare -p FOSSLight_before_proj.yaml FOSSLight_after_proj.yaml -f excel

📁 Result

$ tree
.
├── fosslight_log
│   ├── fosslight_log_20210924_022422.txt
└── FOSSLight-Report_20210924_022422.xlsx

• FOSSLight_Report-[datetime].xlsx: OSS Report format file that outputs source code analysis, binary analysis, and dependency analysis results.
• fosslight_raw_data_[datetime] directory: Directory in which raw data files are created as a result of analysis

🐳 How to run using Docker

1. Build image using Dockerfile.

docker build -t fosslight .

2. Run with the image you built.
   ex. Output: /Users/fosslight_source_scanner/test_output, Path to be analyzed: tests/test_files

docker run -it -v /Users/fosslight_source_scanner/test_output:/app/output fosslight -p tests/test_files -o output

👏 How to report issue

Please report any ideas or bugs to improve by creating an issue in fosslight_scanner repository.
Then there will be quick bug fixes and upgrades. Ideas to improve are always welcome.

📄 License

FOSSLight Scanner is released under Apache-2.0.