Analyzer

The analyzer is a Software Composition Analysis (SCA) tool that determines the dependencies of software projects inside the specified version-controlled input directory (-i). It is the only mandatory tool to run from ORT as its output is the input for all other tools. Analysis works by querying the detected package managers; no modifications to your existing project source code, like applying build system plugins, are necessary for that to work if the following preconditions are met:

• All projects use one of the package managers listed below in a reasonably recent version, and they are configured according to common best practices.
• All projects can be built in a single step out-of-the-box, without any custom configuration being set, like build system properties or environment variables.

The tree of transitive dependencies per project is written out as part of an OrtResult in YAML (or JSON, see -f) format to a file named analyzer-result.yml in the specified output directory (-o). The output file exactly documents the status quo of all package-related metadata. It can be further processed or manually edited before passing it to one of the other tools.

Currently, the following package managers (grouped by the programming language they are most commonly used with) are supported:

• C / C++
  • Bazel (experimental) (limitations: see open tasks)
  • Conan 1.x
  • Also see: SPDX documents
• Dart / Flutter
  • Pub
• Go
  • GoMod
• Haskell
  • Stack
• Java
  • Gradle
  • Maven (limitations: default profile only)
• JavaScript / Node.js
  • Bower
  • NPM (limitations: no peer dependencies)
  • PNPM (limitations: no peer dependencies)
  • Yarn 1
  • Yarn 2+
• .NET
  • DotNet (limitations: no floating versions / ranges, no target framework)
  • NuGet (limitations: no floating versions / ranges, no target framework)
• Objective-C / Swift
  • Carthage (limitation: no cartfile.private)
  • CocoaPods (limitations: no custom source repositories)
  • SwiftPM
• PHP
  • Composer
• Python
  • PIP
  • Pipenv
  • Poetry
• Ruby
  • Bundler (limitations: restricted to the version available on the host)
• Rust
  • Cargo
• Scala
  • SBT
• Unmanaged
  • This is a special "package manager" that manages all files that cannot be associated with any of the other package managers.

If another package manager that is not part of the list above is used (or no package manager at all), the generic fallback to SPDX documents can be leveraged to describe projects or packages.