Note:
⚠️ If you're interested in Software Bill of Materials, you might also look into Bompare
Extracts dependencies from the source.csv artifact of tool detect from BlackDuck (Synopsis). Optionally, adds information on the licenses.
Outputs the following files:
- dependencies_from_source.json contains the direct and transient (transitive) dependencies, in a reference format. This reference format is a JSON file containing arrays of objects with keys name and version. It contains unique objects by the combination name and version
- exactMatches_from_source.json contains the dependencies that are marked as 'Exact' match type in Blackduck, meaning that they were identified as a dependency based on matching file and/or folder structures.
- dependencies_with_licenses.json - (optional) contains the direct and transitive dependencies, along with their licenses. Contains an array of Json objects with keys name, version, licenses.
It is important to mention that we chose to extract dependencies from the source.csv file instead of the components.csv file generated by Blackduck because we are interested in reporting on the actual dependencies, not on their grouping or aliasing to logical components as defined by BlackDuck. The license information is (optionally) read from the components.csv file.
1.0.3, see CHANGELOG.md
- currently supporting versions 5.2.0 and 5.6.1 of Detect
- tested with Detect output as generated by scanning projects of the following technologies:
- Java
- Javascript
- you should have Node installed (this script was tested with node v12.2.0)
- you should have yarn installed (we used version v1.19.0)
yarn extract-from-source [options]
| Flag | Alias | Functionality |
|---|---|---|
| --input [filename] | -i | (mandatory) Filename of the Detect source csv file to extract dependencies from. |
| --licenses [filename] | (optional) Filename to which the list of dependencies with licenses is written (json format). If the file already exists, it will be overwritten. Default value: dependencies_with_licenses.json | |
| --output [filename] | -o | (optional) Filename to which the list of dependencies (name+version) is written (json format). If the file already exists, it will be overwritten. Default value: dependencies_from_source.json |
| --detect [value] | -d | (optional) Version of the synopsis detect tool that was used to generate the input source csv file. One of values in: [5.2.0, 5.6.1]. Defaults to 5.6.1 |
| --separator [value] | -s | (optional) The character which separates the dependency name from its version in column Origin name id from the input fil. Defaults to /. Known values for the separator: / for Javascript, : for Java |
| --verbose | Verbose output of commands and errors | |
| --help | -h | Displays usage information |
| --version | -v | Displays version number |
yarn extract-from-source -i ./testData/valid_source_detect_5_6_1.csv
yarn extract-from-source -i ./testData/valid_source_detect_5_6_1.csv --separator /
yarn extract-from-source -i ./testData/valid_source_detect_5_6_1_nameVersionSeparatedByColumn.csv --separator :
yarn extract-from-source -i ./testData/valid_source_detect_5_6_1.csv --licenses ./testData/valid_components_detect_5_6_1.csv
- Javascript
- This software is intended to be used standalone, as a command-line tool
Get the sources locally; in a command line, go to the root folder of this project and execute:
yarn install
yarn test
or
yarn coverage
Automatically enabled: standard
yarn lint
See CODEOWNERS
See MAINTAINERS.md
See CONTRIBUTING.md
See LICENSE.md
Sanda Contiu
- dependencies
- licenses
- detect
- blackduck
- black duck
- synopsys
- extract
- retrieve