Project

spandx

0.01
No commit activity in last 3 years
No release in over 3 years
Spandx is a ruby API for interacting with the spdx.org software license catalogue. This gem includes a command line interface to scan a software project for the software licenses that are associated with each dependency in the project. Spandx also allows you to hook additional information for each dependency found. For instance, you can add plugin to Spandx to find and report vulnerabilities for the dependencies it found.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 11.1
~> 2.8
~> 13.0
~> 3.0
~> 0.52
~> 1.3
~> 6.0
~> 3.7

Runtime

>= 1.16, < 3.0.0
~> 1.10
~> 3.10
~> 2.0
>= 0
~> 2.3
~> 0.1
 Project Readme

Spandx

Logo courtesy of @speasley

Spandx badge

A Ruby API for interacting with the https://spdx.org software license catalogue. This gem includes a command line interface to scan a software project for the software licenses that are associated with each dependency in the project. spandx leverages an offline cache of software licenses for known dependencies. The offline cache allows Spandx to perform an air gap friendly scan of software projects.

Supported project types

Spandx can work with following language's package managers. It utilises lock files generated by package managers to find dependencies.

Language Package Manager Tested in
Ruby bundler 1.17.3
Js Npm 6.13.4
Js Yarn 1.19.1
Python Pypi(pipenv) v2018.11.26
C# nuget <>
Java Maven 3.6.3
Php Composer 1.10.5

Installation

Add this line to your application's Gemfile:

gem 'spandx'

And then execute:

$ bundle

Or install it yourself as:

$ gem install spandx

Usage

Command line interface

The command line interface supports operations to fetch the latest pre-built cache. See the help for each subcommand for more information on how to use the command.

モ spandx
Commands:
  spandx help [COMMAND]      # Describe available commands or one specific command
  spandx scan LOCKFILE       # Scan a lockfile and list dependencies/licenses
  spandx version             # spandx version

To scan a specific project file use the scan command:

モ spandx scan dotnet/application.sln
モ spandx scan java/pom.xml
モ spandx scan python/Pipfile.lock
モ spandx scan ruby/Gemfile.lock

To activate air gap mode use the --airgap option:

モ spandx scan dotnet/application.sln --airgap
モ spandx scan ruby/Gemfile.lock --airgap

Air gap mode assumes that an offline cache has been placed in $HOME/.local/share/.

To fetch the latest offline cache:

モ spandx pull

Ruby API

To fetch the latest version of the catalogue data from SPDX.

catalogue = Spandx::Spdx::Catalogue.latest
catalogue.each do |license|
  puts license.inspect
end

To load an offline copy of the data.

path = File.join(Dir.pwd, 'licenses.json')
catalogue = Spandx::Spdx::Catalogue.from_file(path)
catalogue.each do |license|
  puts license.inspect
end

Development

After checking out the repo, run bin/setup to install dependencies. Then, run bin/test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/spandx/spandx.

License

The gem is available as open source under the terms of the MIT License.