Open Source Software Auditor

Simple, opinionated tool to compile a list of the open source software in use in a project. Each library is listed together with its licenses and links, ready to be audited.

Useful features:

• No dependencies, can be ran anywhere
• Does not require any package manager nor for the code to work or be installed
• Output can be in JSON or CSV format
• Scans for nested packages
• Accepts an override file to programmatically amend results

Can be installed with

$ gem install oss_audit

A useful help screen will be displayed if launched with no arguments.

Run as

$ oss_audit [options] <dir1> ... <dirN>

Output is printed on STDOUT and can be easily redirected using >. Informative logging is sent to STDERR.

A more complete example is

$ oss_audit -f csv -o overrides.json pj/serviceA pj/serviceB > libs.csv

Not all libraries specify the license or useful links in their configuration files. Instead of manually fixing that after the fact, create an override file in JSON and pass it as argument to the tool, e.g.,

[
  { "manager":"Bundler", "name":"barnes", "licenses":["MIT"] },
  { "manager":"Yarn", "name":"sinon", "homepage":"https://sinonjs.org/" }
]

Package Managers currently supported:

• Bundler
• Yarn / NPM (anything with package.json)

Adding others is trivial, look in lib/oss_audit/managers for examples.

Currently ignores version numbers but that too can be easily added.

Bug reports and pull requests are welcome on GitHub at https://github.com/alessio-signorini/oss_audit.

The gem is available as open source under the terms of the MIT License.