FossID-DA(ORI) is an internal tool that attempts to detect and identify license information (license compliance) for dependencies/components using multiple types of input.
How it works
- Uses a given input for which it collects valid dependency credentials from the supported files
- Checks the API’s and internal databases above for relevant license information
- Check KB2 to see if we have the component, version and license
- Using the source URL or binary URL (both found in the initial info, currently an ORT report), downloads the component package archive in a specified folder (in the config).
- It runs the fossid-cli on the downloaded (or existing) archive and adds the relevant information if found
- Extracts the archive and scans the extracted files with Shinobi License Extractor, then removes the downloaded archive and removes the extracted files. (The archives can be kept using –keep option)
- If an archive is in the download folder (set in the config) and has the same name as one of the URL package, this local archive will be extracted and the URL package will not be downloaded
- A license is picked for the download information using the Shinobi License Extractor results
- All license information is gathered, relevant overall license(s) and overall rule(s) is(are) picked.
What is deep scan?
It is one of fossid-da’s scan modes that collects additional information about dependencies. This mode collects copyright and compliance information for all of the files in every dependency package. What information is normally returned by FossID DA about a component? When running a normal scan this is the information gathered for one component:
How is this information collected in the normal (non-deep-scan) case?
This information is collected from a single source for each dependency type. This source is usually the software register of that dependency type.