https://github.com/philips-software/whitesource-dependencies-to-reference-format
Extracts dependencies from the inventory report json artifact of tool Whitesource.
https://github.com/philips-software/whitesource-dependencies-to-reference-format
software-bill-of-materials
Last synced: 9 months ago
JSON representation
Extracts dependencies from the inventory report json artifact of tool Whitesource.
- Host: GitHub
- URL: https://github.com/philips-software/whitesource-dependencies-to-reference-format
- Owner: philips-software
- License: mit
- Created: 2019-12-04T11:01:13.000Z (over 6 years ago)
- Default Branch: main
- Last Pushed: 2023-07-18T20:40:21.000Z (almost 3 years ago)
- Last Synced: 2025-01-18T12:34:24.940Z (over 1 year ago)
- Topics: software-bill-of-materials
- Language: JavaScript
- Homepage:
- Size: 703 KB
- Stars: 0
- Watchers: 5
- Forks: 1
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# whitesource-dependencies-to-reference-format
> Note: :warning: If you're interested in Software Bill of Materials, you might also look into [Bompare](https://github.com/philips-labs/bompare)
## Description
Extracts dependencies from the inventory report json artifact of tool Whitesource.
Outputs the following file(s):
- __dependencies.json__ contains the dependencies extracted from the inventory file, in a reference format. This reference format is a JSON file containing arrays of objects with keys _name_ and _version_. It contains unique objects by the combination _name_ and _version_
- (optional, if the licenses flag was set) __dependencies_with_extended_info.json__ - contains the dependencies extracted from the inventory file, in an extended reference format, which includes an array of _licenses_ per each dependency, besides the dependency _name_ and _version_.
### Preconditions
The inventory whitesource report is expected to contain keys _name_ and _version_ for every element in the inventory. If the option is set to read the dependency name from the groupId instead, then the _groupId_ key is expected in the inventory file.
If the licenses flag is present, then the inventory report is expected to additionally contain the key _licenses_.
### How is information extracted to reference format?
The version in the output file matches the version in the whitesource inventory report. The dependency name in the output file is by default derived from the name and version fields in the inventory report, and optionally can be derived from the groupId instead, as indicated in the following examples:
| Name in Whitesource | Version in Whitesource | GroupId in Whitesource | Name in output (derived from Name) | Name in output (derived from GroupId)| Version in output
| -------------------------------------|:----------------------:|-----------------------:|--------------------------------------|:-------------------------------------|:------------------
| json-schema-0.2.3.tgz | 0.2.3 | json-schema | json-schema | json-schema | 0.2.3
| annotations-13.0.jar | 13.0 | org.jetbrains | annotations | org.jetbrains | 13.0
| io.js | v0.9.2 | iojs | io.js | iojs | v0.9.2
| webassemblyjs-wasm-parser-1.7.10.tgz | | | webassemblyjs-wasm-parser-1.7.10.tgz | webassemblyjs-wasm-parser-1.7.10.tgz |
| some-dependency-name-0.0.1.tgz | 0.0.1 | | some-dependency-name | some-dependency-name | 0.0.1
# Status
0.0.3, see [CHANGELOG.md](./CHANGELOG.md)
# Limitation
- tested with Whitesource output (version 19.11.1.190) as generated by scanning projects of the following technologies:
- Java
- Javascript
# Prerequisites
- you should have Node installed (this script was tested with node v12.2.0)
- you should have yarn installed (we used version v1.19.0)
# Usage
```
yarn extract [options]
```
### Supported options:
| Flag | Alias | Functionality
| ---------------------|:-----:| -------------------------------------
| --input [filename] | -i | (mandatory) Filename of the Whitesource inventory report file to extract dependencies from.
| --licenses | | (optional) Flag to signal wheter to additionally extract license names from the Whitesource inventory report (to output file dependencies_with_extended_info.json).
| --usegroup | | (optional) Flag to signal wheter to extract the name of dependencies from the groupId keyvalue. If this flag is not set or is false, then dependency names are inferred from the Name keyvalue
| --output [filename] | -o | (optional) Filename to which the list of dependencies (name+version) is written (json format). If the file already exists, it will be overwritten. Default value: dependencies.json
| --verbose | | (optional) Verbose output of commands and errors
| --help | -h | (optional) Displays usage information
| --version | -v | (optional) Displays version number
### Sample usage
To determine the dependency name from the _name_ keyvalue:
```
yarn extract -i ./sampleData/sampleInput.json
```
To extract license information as well:
```
yarn extract -i ./sampleData/sampleInput.json --licenses
```
To determine the dependency name from the _groupId_ keyvalue:
```
yarn extract -i ./sampleData/sampleInput.json --usegroup
```
To determine the dependency name from the _groupId_ keyvalue and get the license information as well:
```
yarn extract -i ./sampleData/sampleInput.json --usegroup --licenses
```
## Technology stack
- Javascript
- This software is intended to be used standalone, as a command-line tool
## How to build
Get the sources locally; in a command line, go to the root folder of this project and execute:
```
yarn install
```
## How to test
```
yarn test
```
or
```
yarn coverage
```
## How to do static analysis of code
Automatically enabled: standard
```
yarn lint
```
## Owners
See [CODEOWNERS](./CODEOWNERS)
## Maintainers
See [MAINTAINERS.md](./MAINTAINERS.md)
## Contributing
See [CONTRIBUTING.md](./CONTRIBUTING.md)
## License
See [LICENSE.md](./LICENSE.md)
## Author
Sanda Contiu
## Keywords
- dependencies
- sbom
- software bill of material
- whitesource
- extract
- retrieve
- licenses