Leveraging ORT from a commercial code scanner – FossID and OSS Review Toolkit

FossID and OSS Review Toolkit (ORT) have recently started a collaboration to integrate ORT into FossID and make the FossID…

FossID and OSS Review Toolkit (ORT) have recently started a collaboration to integrate ORT into FossID and make the FossID scanner available as a scanner in ORT in the future. We hope this collaboration will result in Software Composition Analysis tooling that better supports the various compliance use cases needed to review software products and services including support for wide range package managers, detailed scans of your code for open source licenses and vulnerabilities, and generation of various attribution documents (incl. SPDX SBOMs).

The first result of this collaboration is a beta release of an integration of ORT’s dependency analyzer into FossID; providing you insights on the open source dependencies that are included in your codebase via a package managers such as Gradle, Maven or npm.

What is ORT?

The OSS Review Toolkit, or “ORT” for short, is a project under the Linux Foundation umbrella. It has been around for a few years and reached rapid maturity in the ambition of providing review tooling to the OSS community, compatible with modern software development practices like using package managers, continuous integration and continuous delivery (CI/CD).

In short, ORT Software is an open source tool that helps verify users’ compliance with Free and Open Source Software (FOSS) licenses by looking at a project’s source code and its dependencies. It works by analyzing the project’s build system for dependencies, downloading the source code of the dependencies, scanning all source code for license information, and summarizing the results.

There are several different tools that make up ORT. They are each designed as libraries (for programmatic use), with a minimal command line interface (for scripted use):

  • Analyzer – determines dependencies of a project.
  • Downloader – fetches the source code referred to by the Analyzer result.
  • Scanner – wraps existing license / copyright scanners to detect findings in local source code directories.
  • Evaluator – evaluates license findings against customizable policy rules.
  • Reporter – presents results in various formats such as visual reports, open source notices or Bill-Of-Materials (BOMs) to easily identify dependencies, licenses, copyrights or policy rule violations.

ORT Analyzer

ORT Analyzer for great dependency analysis

FossID has been a collaboration partner with ORT for some time and grew particularly fond of the ORT Analyzer that provides accurate information about what dependencies your software has. It does the analysis recursively, which means it loads the dependencies of dependencies in intricate chains. If you run it on the same system where you build your software, you cannot miss a license declaration, it will be all there (as long as the dependencies are supported by ORT).

Integrating ORT into the FossID commercial software scanner

The guiding star of FossID is to facilitate open source software adoption, which mandates collaboration with several open source projects and initiatives such as ORT. As a proof of concept, FossID wanted to explore the interoperability with ORT Scanner to inspire users to cherry-pick functionality suiting their unique situation, and get the best from both tooling worlds (open source and commercial).

FossID is fundamentally based on the FossID knowledge base and scanner, which interact with the user either through a CLI for automation, or a web application (WebApp) for more manual activities. Using the WebApp, FossID wanted to explore how an integration could be done to enjoy the features of the ORT Analyzer.

The solution was done so that once you install ORT on the WebApp server and configure the WebApp to use it, the WebApp shows a new tab where you can start the Dependency Analysis and review the results. Additionally, the results of the Dependency Analysis are included in the WebApp reports.

Installing ORT was very straight-forward for a skilled engineer, but FossID created and contributed back a set of scripts to ORT to make the process even easier. FossID also elaborated with processing the results to display a cleaned-up set of dependencies and limiting the scope of the ORT analysis to only the supported package managers.

There are many interesting aspects of an ORT integration with a commercial tool to pursue, and we will make sure to keep you updated with new learnings as we go along.

Other Articles relevant