https://github.com/sonatype-nexus-community/ossindex-python
Python library for querying OSS Index
https://github.com/sonatype-nexus-community/ossindex-python
ossindex software-composition-analysis vulnerabilities
Last synced: 10 months ago
JSON representation
Python library for querying OSS Index
- Host: GitHub
- URL: https://github.com/sonatype-nexus-community/ossindex-python
- Owner: sonatype-nexus-community
- License: apache-2.0
- Created: 2021-09-13T10:11:08.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2024-10-30T19:38:40.000Z (over 1 year ago)
- Last Synced: 2025-04-14T17:06:07.971Z (11 months ago)
- Topics: ossindex, software-composition-analysis, vulnerabilities
- Language: Python
- Homepage: https://ossindex-library.readthedocs.io/en/latest/
- Size: 139 KB
- Stars: 1
- Watchers: 7
- Forks: 4
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Support: docs/support.rst
Awesome Lists containing this project
README
# Python Library for quering OSS Index
[](https://readthedocs.org/projects/ossindex-library)
[](https://github.com/sonatype-nexus-community/ossindex-python/blob/main/LICENSE)
[](https://github.com/sonatype-nexus-community/ossindex-python/issues)
[](https://github.com/sonatype-nexus-community/ossindex-python/network)
[](https://github.com/sonatype-nexus-community/ossindex-python/stargazers)
----
This OSSIndex module for Python provides a common interface to querying the [OSS Index](https://ossindex.sonatype.org/).
This module is not designed for standalone use. If you're looking for a tool that can detect your application's dependencies
and assess them for vulnerabilities against the OSS Index, perhaps you should check out
[Jake](https://github.com/sonatype-nexus-community/jake).
You can of course use this library in your own applications.
## Installation
Install from pypi.org as you would any other Python module:
```
pip install ossindex-lib
```
## Usage
First create an instance of `OssIndex`, optionally enabling local caching
```
o = OssIndex()
```
Then supply a `List` of [PackageURL](https://github.com/package-url/packageurl-python) objects that you want to ask
OSS Index about. If you don't want to care about generating this list yourself, perhaps look to a tool like [Jake](https://github.com/sonatype-nexus-community/jake)
(which uses this library) and will do all the hard work for you!
As a quick test, you could run:
```
from ossindex.ossindex import OssIndex, PackageURL
from ossindex.model import OssIndexComponent, Vulnerability
o = OssIndex()
results: List[OssIndexComponent] = o.get_component_report(packages=[
PackageURL.from_string(purl='pkg:pypi/pip@23.1.2')
])
for r in results:
print("{}: {} known vulnerabilities".format(r.coordinates, len(r.vulnerabilities)))
v: Vulnerability
for v in r.vulnerabilities:
print(' - {}'.format(str(v)))
```
... which would output something like ...
```
pkg:pypi/pip@23.1.2: 1 known vulnerabilities
-
```
## Logging
This library send log events to a standard Python `logger` named `ossindex`. You can configure the logger to output as
required through the standard [Python logging configuration](https://docs.python.org/3/library/logging.config.html).
## Todos
1. Support authentication against OSS Index
## Python Support
We endeavour to support all functionality for all [current actively supported Python versions](https://www.python.org/downloads/).
However, some features may not be possible/present in older Python versions due to their lack of support.
## Changelog
See our [CHANGELOG](./CHANGELOG.md).
## The Fine Print
Remember:
It is worth noting that this is **NOT SUPPORTED** by Sonatype, and is a contribution of ours to the open source
community (read: you!)
* Use this contribution at the risk tolerance that you have
* Do NOT file Sonatype support tickets related to `ossindex-lib`
* DO file issues here on GitHub, so that the community can pitch in
Phew, that was easier than I thought. Last but not least of all - have fun!