Note:
⚠️ If you're interested in Software Bill of Materials, you might also look into Bompare
Extracts dependencies from the inventory report json artifact of tool Whitesource.
Outputs the following file(s):
- dependencies.json contains the dependencies extracted from the inventory file, in a reference format. This reference format is a JSON file containing arrays of objects with keys name and version. It contains unique objects by the combination name and version
- (optional, if the licenses flag was set) dependencies_with_extended_info.json - contains the dependencies extracted from the inventory file, in an extended reference format, which includes an array of licenses per each dependency, besides the dependency name and version.
The inventory whitesource report is expected to contain keys name and version for every element in the inventory. If the option is set to read the dependency name from the groupId instead, then the groupId key is expected in the inventory file. If the licenses flag is present, then the inventory report is expected to additionally contain the key licenses.
The version in the output file matches the version in the whitesource inventory report. The dependency name in the output file is by default derived from the name and version fields in the inventory report, and optionally can be derived from the groupId instead, as indicated in the following examples:
| Name in Whitesource | Version in Whitesource | GroupId in Whitesource | Name in output (derived from Name) | Name in output (derived from GroupId) | Version in output |
|---|---|---|---|---|---|
| json-schema-0.2.3.tgz | 0.2.3 | json-schema | json-schema | json-schema | 0.2.3 |
| annotations-13.0.jar | 13.0 | org.jetbrains | annotations | org.jetbrains | 13.0 |
| io.js | v0.9.2 | iojs | io.js | iojs | v0.9.2 |
| webassemblyjs-wasm-parser-1.7.10.tgz | webassemblyjs-wasm-parser-1.7.10.tgz | webassemblyjs-wasm-parser-1.7.10.tgz | |||
| some-dependency-name-0.0.1.tgz | 0.0.1 | some-dependency-name | some-dependency-name | 0.0.1 |
0.0.3, see CHANGELOG.md
- tested with Whitesource output (version 19.11.1.190) as generated by scanning projects of the following technologies:
- Java
- Javascript
- you should have Node installed (this script was tested with node v12.2.0)
- you should have yarn installed (we used version v1.19.0)
yarn extract [options]
| Flag | Alias | Functionality |
|---|---|---|
| --input [filename] | -i | (mandatory) Filename of the Whitesource inventory report file to extract dependencies from. |
| --licenses | (optional) Flag to signal wheter to additionally extract license names from the Whitesource inventory report (to output file dependencies_with_extended_info.json). | |
| --usegroup | (optional) Flag to signal wheter to extract the name of dependencies from the groupId keyvalue. If this flag is not set or is false, then dependency names are inferred from the Name keyvalue | |
| --output [filename] | -o | (optional) Filename to which the list of dependencies (name+version) is written (json format). If the file already exists, it will be overwritten. Default value: dependencies.json |
| --verbose | (optional) Verbose output of commands and errors | |
| --help | -h | (optional) Displays usage information |
| --version | -v | (optional) Displays version number |
To determine the dependency name from the name keyvalue:
yarn extract -i ./sampleData/sampleInput.json
To extract license information as well:
yarn extract -i ./sampleData/sampleInput.json --licenses
To determine the dependency name from the groupId keyvalue:
yarn extract -i ./sampleData/sampleInput.json --usegroup
To determine the dependency name from the groupId keyvalue and get the license information as well:
yarn extract -i ./sampleData/sampleInput.json --usegroup --licenses
- Javascript
- This software is intended to be used standalone, as a command-line tool
Get the sources locally; in a command line, go to the root folder of this project and execute:
yarn install
yarn test
or
yarn coverage
Automatically enabled: standard
yarn lint
See CODEOWNERS
See MAINTAINERS.md
See CONTRIBUTING.md
See LICENSE.md
Sanda Contiu
- dependencies
- sbom
- software bill of material
- whitesource
- extract
- retrieve
- licenses