- State: demonstrator / not production ready
- ... needs a better name
This docker based pipeline uses
- the OSS Review Toolkit, built from the fork https://github.com/opossum-tool/oss-review-toolkit,
- ScanCode (https://github.com/nexB/scancode-toolkit/),
- OWASP Dependency-Check (https://owasp.org/www-project-dependency-check/) and
- SCANOSS (https://github.com/scanoss/scanner.c)
to scan the provided source directory.
It is able to consume arbitrary source code and tries to do its best, with the limitation that Ort requires the folder to be under version control.
The results are merged via opossum.lib.hs to a single merged-opossum.input.json.gz
.
The whole tooling is selfcontained in a single docker image, that consumes the content of /intput
and produces the ressults in /output
.
Build the docker image (once):
$ ./build-docker-image.sh
Scan the root of a project (fo ORT, it must be under vcs):
$ ./run-on-folder.sh path/to/project/root
this generates a folder path/to/project/root_aioc
containing the file merged-opossum.input.json.gz
.