- State: demonstrator / not production ready
- ... needs a better name
This docker based pipeline uses
- the OSS Review Toolkit, built from the fork https://github.com/opossum-tool/oss-review-toolkit,
- ScanCode (https://github.com/nexB/scancode-toolkit/),
- OWASP Dependency-Check (https://owasp.org/www-project-dependency-check/) and
- SCANOSS (https://github.com/scanoss/scanner.c)
to scan the provided source directory.
It is able to consume arbitrary source code and tries to do its best, with the limitation that Ort requires the folder to be under version control.
The results are merged via opossum.lib.hs to a single merged-opossum.input.json.gz.
The whole tooling is selfcontained in a single docker image, that consumes the content of /intput and produces the ressults in /output.
Build the docker image (once):
$ ./build-docker-image.shScan the root of a project (fo ORT, it must be under vcs):
$ ./run-on-folder.sh path/to/project/rootthis generates a folder path/to/project/root_aioc containing the file merged-opossum.input.json.gz.