OpossumUI is a tool to
- discover open source software used in applications.
- review licenses.
- generate reports from an open source code scan.
- use of multiple scanners (open source and/or proprietary).
- currently integrates with OSS Review Toolkit and ScanCode.
- unified interface for browsing scanner evidence.
- simple navigation through the codebase’s file tree.
- create attributions for individual files or groups.
- A team performing audits for open source license compliance.
- Producing legal docs such as inventory (BOMs) and license conflicts that need to be remediated.
- OpossumUI can be used to visually inspect (QA) existing attributions, identify any false positives or incorrect attributions by manual selection and improve existing data.
- To aid M&A due diligence activities. OpossumUI can be used by acquirers for blind audits of intellectual property, since only compliance-relevant metadata is exposed in the app without the need to ever share the source code.
OpossumUI was developed with the goal to build a tool for managing and combining open source compliance data from different sources. While existing analysis tools for software compliance can provide good information, using multiple of such tools often leads to huge amounts of data due to an increased detection rate. Even though the results can be merged and noise can be filtered through automatic tools, final manual revisions are often necessary. So, OpossumUI was born: A light-weight app for review of compliance information for large codebases.
To integrate well with different analysis tools, different converters are provided to generate input files in json format that can be opened with OpossumUI. After completing the review process with OpossumUI, the information can be outputted in different formats.
To work with OpossumUI, an input file can be opened to visualize and edit license compliance data of a project. When opening an input file for the first time, an accompanying output file with the naming convention "[INPUT NAME]_attributions.json" is created in the same directory as the input file.
Result files (yaml / json) from the OSS Review Toolkit can be converted into OpossumUI input files via a custom
reporter. It uses metadata from the analyzer as well as scan results from the scanner. The implementation is in the
fork opossum-tool/oss-review-toolkit and the new reporter output
is called Opossum.
For details of the file format, see Contributing
The following software is required for the building process:
Clone the OpossumUI repo. E.g. run the following command in a terminal:
git clone git@github.com:opossum-tool/opossumUI.gitTo install dependencies and set up the working environment, run:
yarn installTo build for a single OS run either yarn ship-linux, yarn ship-mac or yarn ship-win. Important: wine must be
installed to build a Windows installer. To build for all three systems run yarn ship.
The built release(s) can be found under /release/linux_and_windows or /release/macOS
To build a Windows installer run yarn win-ship-win. Building of non-Windows version on Windows is currently not
supported.
WARNING: The repo has to be cloned with lf unix-style line ending.
Run the executable opossum-ui-0.1.0.AppImage
Run opossum-ui in opossum-ui-darwin-x64/.
Run opossum-ui Setup 0.1.0.exe to install the OpossumUI. Then open opossum-ui from the start menu.
For an in-depth explanation, read the Users's Guide.
In addition to the default output file, OpossumUI provides the following export options.
An SPDX document can be exported in the json and the yaml format through the Export ⟶ SPDX (yaml) and SPDX (json) option in the File menu.
These can be exported through the Export ⟶ Compact / Detailed component list option in the File menu. Both component list files contain a list of all attributions that are present in the project, including package name, version, copyright, license name and URL. In addition, the detailed component list is more comprehensive and includes the PURL and its subcomponents, as well as the license texts.
This can be exported through the Export ⟶ Follow-Up option in the File menu. Similar to the component list, it contains attributions with licenses flagged for legal review through the Follow-Up checkbox in the UI.
SPDX License Expressions are only partially supported at the moment. Currently, a license expression can only be entered as license name of a package. The full license text of the different licenses (e.g. GPL-2.0-only OR BSD-2-Clause) that apply should also be entered in the license text field.
Contributions to the project are welcome. See Contributing.
OpossumUI is licensed under Apache-2.0, documentation is licensed under CC0-1.0. For Contributions, we use the Developer Certificate of Origin (DCO) process via sign-offs in every commit, to help ensure licensing criteria are met.