ORT Toolchain

The OSS Review Toolkit (ORT) is a set of tools that work together to help you manage and analyze your software projects. It provides a comprehensive solution for Software Composition Analysis (SCA), license compliance, vulnerability management, and more, helping you to manage the risks in your software supply chain.

Analyzer

Find dependencies

→

Scanner

Scan source code

→

Advisor

Find vulnerabilities

→

Evaluator

Apply policy rules

→

Reporter

Generate reports

Each tool in the ORT toolchain has a specific role, and you can use them individually or together to achieve your goals. The tools are designed to be modular and can be integrated into your existing workflows, whether you are working on a small project or a large enterprise application.

For more information on how to use these tools, check out the documentation.

Analyzer

The Analyzer is a Software Composition Analysis (SCA) tool that identifies the dependencies of your projects, and gathers information about them, such as licenses, copyrights, and source code locations.

Support for more than 20 package managers, including Bazel, Cargo, Gradle, Maven, npm, PIP, pnpm, Yarn, and many more.
Works out-of-the-box with most project setups, no need for configuration changes or custom plugins.
Support for package metadata curations, either self-written or sourced from public repositories like ClearlyDefined.
Dependencies are identified by scope to easily separate build, test, and runtime dependencies.

The Analyzer is the first step in the ORT toolchain, and its output is used by all other tools.

docker run ghcr.io/oss-review-toolkit/ort analyze --help

Downloader

The Downloader fetches the source code of your dependencies, so that it can be scanned for licenses, copyrights, and snippets.

Supports fetching source code from various sources, including Git, Mercurial, SVN, and Git-Repo repositories, and source code artifacts.
Can be used to build source code bundles to archive the source code of your dependencies.
Supports recursive cloning of Git submodules.

docker run ghcr.io/oss-review-toolkit/ort download --help

Scanner

The Scanner integrates third-party source code scanners to gather information about licenses, copyrights, and snippets in the source code of your projects and their dependencies.

Automatically downloads the required source code, no need to run the Downloader manually.
Scan results can be stored for later reuse to avoid re-scanning the same source code.
Built-in and configurable mapping of arbitrary licenses to SPDX license IDs.

docker run ghcr.io/oss-review-toolkit/ort scan --help

Advisor

The Advisor integrates various vulnerability providers to gather information about known vulnerabilities in your dependencies.

Support for several vulnerability providers, including OSV and VulnerableCode.
Found vulnerabilities can be resolved if they do not apply to your project, to not clutter the vulnerability report.

docker run ghcr.io/oss-review-toolkit/ort advise --help

Evaluator

The Evaluator provides a scriptable rule engine to evaluate the gathered data against custom policy rules.

Policy rules can use any data gathered by the ORT, including license, copyright, and vulnerability information.
Provides an in-built rule set based on the OSADL License Compatibility Matrix.
Rule sets are implemented in Kotlin.

docker run ghcr.io/oss-review-toolkit/ort evaluate --help

Reporter

The Reporter generates various reports based on the data gathered by the ORT toolchain.

Generates CycloneDX and SPDX Software Bill of Materials (SBOM).
Provides a template reporter based on Freemarker to generate custom reports in various formats, including HTML, Markdown, or PDF. Templates for notice files, disclosure documents, and vulnerability reports are included.
Can build a web application in a single HTML file to visualize the gathered data.

docker run ghcr.io/oss-review-toolkit/ort report --help