{"id":20801910,"url":"https://github.com/philips-software/whitesource-dependencies-to-reference-format","last_synced_at":"2025-10-12T20:18:19.120Z","repository":{"id":42940321,"uuid":"225846165","full_name":"philips-software/whitesource-dependencies-to-reference-format","owner":"philips-software","description":"Extracts dependencies from the inventory report json artifact of tool Whitesource.","archived":false,"fork":false,"pushed_at":"2023-07-18T20:40:21.000Z","size":720,"stargazers_count":0,"open_issues_count":7,"forks_count":1,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-01-18T12:34:24.940Z","etag":null,"topics":["software-bill-of-materials"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips-software.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-04T11:01:13.000Z","updated_at":"2022-02-14T07:36:21.000Z","dependencies_parsed_at":"2025-01-18T12:39:28.607Z","dependency_job_id":null,"html_url":"https://github.com/philips-software/whitesource-dependencies-to-reference-format","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fwhitesource-dependencies-to-reference-format","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fwhitesource-dependencies-to-reference-format/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fwhitesource-dependencies-to-reference-format/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2Fwhitesource-dependencies-to-reference-format/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips-software","download_url":"https://codeload.github.com/philips-software/whitesource-dependencies-to-reference-format/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243147272,"owners_count":20243745,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["software-bill-of-materials"],"created_at":"2024-11-17T18:25:34.216Z","updated_at":"2025-10-12T20:18:19.036Z","avatar_url":"https://github.com/philips-software.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# whitesource-dependencies-to-reference-format\n\n\u003e Note: :warning: If you're interested in Software Bill of Materials, you might also look into [Bompare](https://github.com/philips-labs/bompare)\n\n## Description\nExtracts dependencies from the inventory report json artifact of tool Whitesource.\n\nOutputs the following file(s): \n  - __dependencies.json__ contains the dependencies extracted from the inventory file, in a reference format. This reference format is a JSON file containing arrays of objects with keys _name_ and _version_. It contains unique objects by the combination _name_ and _version_\n  - (optional, if the licenses flag was set) __dependencies_with_extended_info.json__ - contains the dependencies extracted from the inventory file, in an extended reference format, which includes an array of _licenses_ per each dependency, besides the dependency _name_ and _version_.\n\n### Preconditions\nThe  inventory whitesource report is expected to contain keys _name_ and _version_ for every element in the inventory. If the option is set to read the dependency name from the groupId instead, then the _groupId_ key is expected in the inventory file.\nIf the licenses flag is present, then the inventory report is expected to additionally contain the key _licenses_.\n\n### How is information extracted to reference format?\nThe version in the output file matches the version in the whitesource inventory report. The dependency name in the output file is by default derived from the name and version fields in the inventory report, and optionally can be derived from the groupId instead, as indicated in the following examples:\n\n| Name in Whitesource                  | Version in Whitesource | GroupId in Whitesource | Name in output (derived from Name)   | Name in output (derived from GroupId)| Version in output   \n| -------------------------------------|:----------------------:|-----------------------:|--------------------------------------|:-------------------------------------|:------------------\n| json-schema-0.2.3.tgz                | 0.2.3                  | json-schema            | json-schema                          | json-schema                          | 0.2.3\n| annotations-13.0.jar                 | 13.0                   | org.jetbrains          | annotations                          | org.jetbrains                        | 13.0 \n| io.js                                | v0.9.2                 | iojs                   | io.js                                | iojs                                 | v0.9.2\n| webassemblyjs-wasm-parser-1.7.10.tgz |                        |                        | webassemblyjs-wasm-parser-1.7.10.tgz | webassemblyjs-wasm-parser-1.7.10.tgz |\n| some-dependency-name-0.0.1.tgz       | 0.0.1                  |                        | some-dependency-name                 | some-dependency-name                 | 0.0.1\n\n# Status\n0.0.3, see [CHANGELOG.md](./CHANGELOG.md)\n\n# Limitation\n- tested with Whitesource output (version 19.11.1.190) as generated by scanning projects of the following technologies: \n  - Java\n  - Javascript\n\n# Prerequisites\n- you should have Node installed (this script was tested with node v12.2.0)\n- you should have yarn installed (we used version v1.19.0)\n\n# Usage\n```\nyarn extract [options]\n```\n\n### Supported options:\n\n| Flag                 | Alias | Functionality\n| ---------------------|:-----:| -------------------------------------\n| --input [filename]   |  -i   | (mandatory) Filename of the Whitesource inventory report file to extract dependencies from.\n| --licenses           |       | (optional) Flag to signal wheter to additionally extract license names from the Whitesource inventory report (to output file dependencies_with_extended_info.json).\n| --usegroup           |       | (optional) Flag to signal wheter to extract the name of dependencies from the groupId keyvalue. If this flag is not set or is false, then dependency names are inferred from the Name keyvalue\n| --output [filename]  |  -o   | (optional) Filename to which the list of dependencies (name+version) is written (json format). If the file already exists, it will be overwritten. Default value: dependencies.json\n| --verbose            |       | (optional) Verbose output of commands and errors\n| --help               | -h    | (optional) Displays usage information\n| --version            | -v    | (optional) Displays version number\n\n\n\n### Sample usage\nTo determine the dependency name from the _name_ keyvalue:\n```\nyarn extract -i ./sampleData/sampleInput.json\n```\nTo extract license information as well: \n```\nyarn extract -i ./sampleData/sampleInput.json --licenses\n```\nTo determine the dependency name from the _groupId_ keyvalue: \n```\nyarn extract -i ./sampleData/sampleInput.json --usegroup\n```\nTo determine the dependency name from the _groupId_ keyvalue and get the license information as well: \n```\nyarn extract -i ./sampleData/sampleInput.json --usegroup --licenses\n```\n## Technology stack\n- Javascript\n- This software is intended to be used standalone, as a command-line tool\n\n## How to build\nGet the sources locally; in a command line, go to the root folder of this project and execute:\n```\nyarn install\n```\n## How to test\n```\nyarn test\n```\nor \n```\nyarn coverage\n```\n\n## How to do static analysis of code\nAutomatically enabled: standard\n```\nyarn lint\n```\n\n## Owners\nSee [CODEOWNERS](./CODEOWNERS)\n\n## Maintainers\nSee [MAINTAINERS.md](./MAINTAINERS.md)\n\n## Contributing\nSee [CONTRIBUTING.md](./CONTRIBUTING.md)\n\n## License\nSee [LICENSE.md](./LICENSE.md)\n\n## Author\nSanda Contiu\n\n## Keywords\n  - dependencies\n  - sbom\n  - software bill of material\n  - whitesource\n  - extract\n  - retrieve\n  - licenses\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fwhitesource-dependencies-to-reference-format","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips-software%2Fwhitesource-dependencies-to-reference-format","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fwhitesource-dependencies-to-reference-format/lists"}