npm-spdx is a Go program that queries the NPM API to gather declared license
information for dependencies from a package.json
manifest. It generates an
SPDX document containing that information and the
corresponding subdependency relationships.
See the examples directory for a quick usage example.
Compile with go build
, then:
You will need the package.json
file for your NPM-based project, as well as the
corresponding package-lock.json
file (to determine which specific versions of
which subdependencies were installed).
Then, retrieve the declared dependency license info by calling npm-spdx retrieve
:
./npm-spdx retrieve <PACKAGE.JSON> <PACKAGE-LOCK.JSON> <RESULTS.JSON>
This will pull the results and save them to the file specified in
<RESULTS.JSON>
, which will be used in the next steps.
Now, generate the SPDX document by calling npm-spdx spdx
:
./npm-spdx spdx <RESULTS.JSON> <OUTPUT.SPDX>
This will read in the results.json
file you obtained from Step 1, and process
it into an SPDX version 2.1 document that will be saved to the file specified in
<OUTPUT.SPDX>
.
You can also optionally process the results into a JSON file with dependencies
categorized by license expression. The resulting JSON file might be easier to
use for certain policy or automation processes. You can generate this by calling
npm-spdx report
:
./npm-spdx report <RESULTS.JSON> <SUMMARY.JSON>
This will read in the results.json
file you obtained from Step 1, and process
it into a JSON file that will be saved to the file specified in
<SUMMARY.JSON>
.
npm-spdx is available under the Apache License, version 2.0.
Copyright The Linux Foundation and npm-spdx contributors.
SPDX-License-Identifier: Apache-2.0