Skip to content
This repository has been archived by the owner on May 5, 2021. It is now read-only.

The OSS Attribution Builder is a website that helps teams create attribution documents (notices, "open source screens", credits, etc) commonly found in software products.



Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

OSS Attribution Builder

Build Status

OSS Attribution Builder is a website that helps teams create attribution documents for software products. An attribution document is a text file, web page, or screen in just about every software application that lists the software components used and their licenses. They're often in the About screens, and are sometimes labeled "Open Source Notices", "Credits", or other similar jargon.



  1. Install Docker
  2. Clone this repository
  3. Run docker-compose up
  4. Visit http://localhost:8000/
    • The demo uses HTTP basic auth. Enter any username and password. Use admin to test out admin functionality.

Using the Website

See documentation:


The attribution builder was originally an Amazon-internal tool. Some portions had to be removed to make this a sensible open source project. As such, there are some warts:

  • Projects have contact lists, but at the moment the UI only supports one contact (the legal contact).

These will all be fixed in time, but be aware that some things might be weird for a while.

Custom deployment

If you're ready to integrate the attribution builder into your own environment, there are some things to set up:


Open up config/default.js and poke around. This configuration launches when you run docker-compose or otherwise launch the application.


The attribution builder has support for two types of license definitions:

  • SPDX identifiers
  • "Known" license texts and tags

SPDX identifiers are just used for pre-filling the license selector, but do not (currently) have texts. The more useful type of license is a "known" license, where you (the administrator) supply the text of the license and any tags you'd like to apply.

For information on adding your own "known" licenses, see the license README. There are two existing licenses in the same directory you can look at for examples.


Tags allow you to add arbitrary validation rules to a license. They can be useful for:

  • Verifying a license is being used in the right way (e.g., LGPL and how a package was linked)
  • Annotating a particular license as needing follow up, if your business has special processes
  • Providing guidance on attribution for licenses with many variants
  • Modifying the how a license is displayed in an attribution document

For information on what tags can do and how to create your own, see the tags README.


The attribution builder offers some form of extensions that allow you to alter client-side site behavior and appearance, without needing to patch internals. This can make upgrades easier.

See the extensions README for details.

Authentication module

The attribution builder supports being able to restrict access to certain people or groups using project ACLs. These can also be used for administration and to "verify" packages (details on that in a later section). The default implementation nullauth is not very useful for most environments; you will want to write your own when launching more broadly.

See the base auth interface for implementation details.


To start up the server, you should run build/server/localserver.js after building with npm run build. There are some environment variables you'll probably want to set when running:

  • NODE_ENV should most likely be set to production
  • CONFIG_NAME should be set to the basename (no extension) of your configuration file you created above. The default is "default".

The server runs in HTTP only. You probably want to put a thin HTTPS web server or proxy in front of it.


See CONTRIBUTING for information.


npm install and then npm run dev will get you off the ground for local development. This will start a Docker container for PostgreSQL, but will use a local copy of tsc, webpack, node, etc so you can iterate quickly.

Once things have started up, you can open This will automatically reload on browser changes, and the backend will also automatically restart on server-side changes.

Handy environment variables:

  • NODE_ENV: when unset or development, you'll get full source maps & debug logs
  • DEBUG_SQL: when set (to anything), this will show SQL queries on the terminal as they execute


npm test will run unit tests. These are primarily server focused.

npm run test-ui will run Selenium tests. You can set the environment variable SELENIUM_DRIVER if you want a custom driver -- by default, it'll try to use Chrome, and if that's not available it'll fall back to PhantomJS.

When debugging UI tests, it may be easier to change standalone-chrome to standalone-chrome-debug in docker-compose.selenium.yml, and then connect to the container via VNC (port 5900, password "secret"). Run the container and your tests separately:

  • docker-compose -f docker-compose.selenium.yml up --build
  • tsc && jasmine --stop-on-failure=true 'build/selenium/*.spec.js'

Tests failing for seemingly no reason? driver.sleep not working? Make sure your Jasmine timeout on your test is high enough.


The OSS Attribution Builder is a website that helps teams create attribution documents (notices, "open source screens", credits, etc) commonly found in software products.




Code of conduct

Security policy





No packages published