{"id":20102947,"url":"https://github.com/stackrox/ossls","last_synced_at":"2026-05-10T01:40:38.235Z","repository":{"id":57696203,"uuid":"147391699","full_name":"stackrox/ossls","owner":"stackrox","description":"šŸ“œ Automated dependency license scanning and auditing","archived":false,"fork":false,"pushed_at":"2024-08-13T20:38:15.000Z","size":2426,"stargazers_count":0,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-13T04:40:13.459Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-04T18:36:13.000Z","updated_at":"2024-08-13T20:37:33.000Z","dependencies_parsed_at":"2024-07-29T18:22:52.726Z","dependency_job_id":"931229fb-3f4c-4eb0-a5ac-bc6a84dfc28d","html_url":"https://github.com/stackrox/ossls","commit_stats":null,"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fossls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fossls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fossls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fossls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/ossls/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241542436,"owners_count":19979317,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T17:33:45.454Z","updated_at":"2026-05-10T01:40:33.211Z","avatar_url":"https://github.com/stackrox.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![CircleCI][circleci-badge]][circleci-link]\n\n# OSSLS\n\nšŸ“œ Automated dependency license scanning and auditing\n\n## Installing\n\n### From source\n\nYou can use `go get` to install a development version of tool by running:\n\n```bash\n$ go get -u github.com/stackrox/ossls\n```\n\n### Precompiled binary\n\nAlternatively, you can download a static [release][github-release-link] binary using [fetch](https://github.com/gruntwork-io/fetch):\n\n```bash\n$ fetch --repo=\"https://github.com/stackrox/ossls\" \\\n --tag=\"0.2.0\" --release-asset=\"ossls_linux_amd64\" .\n$ sudo install ossls_linux_amd64 /usr/bin/ossls\n```\n\n## Configuration\n\nBy default, ossls refers to a file named `.ossls.yml` for all configuration. The fine contains two top-level properties, `resolvers` and `dependencies`.\n\n```yaml\nresolvers:\n dep:\n manifest: Gopkg.toml\n vendor-dir: vendor\n\n js:\n manifest: ui/package.json\n module-dir: ui/node_modules\n\ndependencies:\n ui/node_modules/react:\n url: https://github.com/facebook/react\n license: MIT\n files:\n LICENSE: 52412d7bc7ce4157ea628bbaacb8829e0a9cb3c58f57f99176126bc8cf2bfc85\n package.json:\n license: 809c46917bff0e06079ac81a33b2ee85061ce18988dc1ae584240fc6408328b1\n attribution:\n - Copyright (c) Facebook, Inc. and its affiliates.\n\n ui/node_modules/redux:\n url: https://github.com/reduxjs/redux\n ...\n```\n\n### Resolvers Configuration\n\nThis property provides sources for different dependency tracking manifests. Specifically, `Gopkg.toml` files used by [`dep`](https://github.com/golang/dep) and `package.json` files used by [`npm`](https://www.npmjs.com), [`yarn`](https://yarnpkg.com), and the like.\n\n### Dependencies Configuration\n\nThis property provides a manifest for the current known set of project dependencies. Each sub-property is the relative name of a directory, containing a single installed dependency.\n\nIt has additional properties including a project url, the specific type of license it uses, and copyright attribution information. There is also a list of files with corresponding SHA256 hashes, for use during auditing.\n\n## Usage\n\nYou can always view help information on the various actions like so:\n\n```\n$ ossls -help\nUsage of ./ossls:\n -audit\n Audit all dependencies.\n -checksum\n Calculate checksum for a file.\n -config string\n Path to configuration file. (default \".ossls.yml\")\n -list\n List all dependencies.\n -scan\n Scan single dependency.\n -version\n Displays the version and exits.\n```\n\n### Auditing Dependencies\n\nAuditing, is the action of comparing the set of known dependencies to the set of currently installed dependencies, and detecting violations in our expectations.\n\nYou can run an audit like so:\n\n```\n$ ossls -audit\nāœ“ ui/node_modules/react\nāœ“ ui/node_modules/redux\n...\n```\n\n#### Auditing Failures\n\nOccasionally, typically after updating a dependency, an audit may fail. This section outlines the different failure types and their meaning.\n\n##### Dependency Added\n\nIndicates that a new dependency was added to a package manager manifest (like `Gopkg.toml` or `package.json`) but does not exist in the ossls dependency list.\n\n```\n$ ossls -audit\n...\nāœ— ui/node_modules/example\n ā†³ dependency added\nossls: violations found\n```\n\n##### Dependency Deleted\n\nIndicates that a dependency was removed from a package manager manifest (like `Gopkg.toml` or `package.json`) but still exists in the ossls dependency list.\n\n```\n$ ossls -audit\n...\nāœ— ui/node_modules/example\n ā†³ dependency deleted\nossls: violations found\n```\n\n##### Checksum mismatch\n\nIndicates that a pinned file for this dependency has been modified. Re-examine the file to determine if licensing or copyright holders have changed. You can re-generate the SHA256 checksum with `ossls -checksum \u003cfile\u003e` or `shasum -a 256 \u003cfile\u003e`.\n\n```\n$ ossls -audit\n...\nāœ— ui/node_modules/example\n ā†³ checksum mismatch for ui/node_modules/example/LICENSE. expected \u003csome SHA256\u003e but got \u003csome other SHA256\u003e\nossls: violations found\n```\n\n##### File does not exist\n\nIndicates that a pinned file for this dependency has been renamed or deleted. Re-examine the dependency and update the list of pinned files.\n\n```\n$ ossls -audit\n...\nāœ— ui/node_modules/example\n ā†³ file ui/node_modules/example/LICENSE does not exist.\nossls: violations found\n```\n\n##### Invalid url / no license/attribution/files\n\nIndicates that a property for this dependency is improperly specified, or left blank.\n\n```\n$ ossls -audit\n...\nāœ— ui/node_modules/example\n ā†³ no license\nossls: violations found\n```\n\n[circleci-badge]: https://circleci.com/gh/stackrox/ossls.svg?\u0026style=shield\u0026circle-token=5ac8a87fbadae84c41f8c1fc868ad5d8ba85c90e\n[circleci-link]: https://circleci.com/gh/stackrox/ossls/tree/master\n[github-release-link]: https://github.com/stackrox/ossls/releases/latest\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fossls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Fossls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fossls/lists"}