Analyzer

The analyzer is a Software Composition Analysis (SCA) tool that determines the dependencies of software projects inside the specified input directory (-i). It does so by querying the detected package managers; no modifications to your existing project source code, like applying build system plugins, are necessary for that to work. The tree of transitive dependencies per project is written out as part of an OrtResult in YAML (or JSON, see -f) format to a file named analyzer-result.yml in the specified output directory (-o). The output file exactly documents the status quo of all package-related metadata. It can be further processed or manually edited before passing it to one of the other tools.

Currently, the following package managers (grouped by the programming language they are most commonly used with) are supported:

• C / C++
  • Bazel (experimental) (limitations: see open tasks)
  • Conan
  • Also see: SPDX documents
• Dart / Flutter
  • Pub
• Go
  • GoMod
• Haskell
  • Stack
• Java
  • Gradle
  • Maven (limitations: default profile only)
• JavaScript / Node.js
  • Bower
  • NPM (limitations: no peer dependencies)
  • PNPM (limitations: no peer dependencies)
  • Yarn 1
  • Yarn 2+
• .NET
  • DotNet (limitations: no floating versions / ranges, no target framework)
  • NuGet (limitations: no floating versions / ranges, no target framework)
• Objective-C / Swift
  • Carthage (limitation: no cartfile.private)
  • CocoaPods (limitations: no custom source repositories)
  • SwiftPM
• PHP
  • Composer
• Python
  • PIP
  • Pipenv
  • Poetry
• Ruby
  • Bundler (limitations: restricted to the version available on the host)
• Rust
  • Cargo
• Scala
  • SBT
• Unmanaged
  • This is a special "package manager" that manages all files that cannot be associated with any of the other package managers.

If another package manager that is not part of the list above is used (or no package manager at all), the generic fallback to SPDX documents can be leveraged to describe projects or packages.