npm-spdx is a Go program that queries the NPM API to gather declared license
information for dependencies from a package.json manifest. It generates an
SPDX document containing that information and the
corresponding subdependency relationships.
See the examples directory for a quick usage example.
Compile with go build, then:
You will need the package.json file for your NPM-based project, as well as the
corresponding package-lock.json file (to determine which specific versions of
which subdependencies were installed).
Then, retrieve the declared dependency license info by calling npm-spdx retrieve:
./npm-spdx retrieve <PACKAGE.JSON> <PACKAGE-LOCK.JSON> <RESULTS.JSON>
This will pull the results and save them to the file specified in
<RESULTS.JSON>, which will be used in the next steps.
Now, generate the SPDX document by calling npm-spdx spdx:
./npm-spdx spdx <RESULTS.JSON> <OUTPUT.SPDX>
This will read in the results.json file you obtained from Step 1, and process
it into an SPDX version 2.1 document that will be saved to the file specified in
<OUTPUT.SPDX>.
You can also optionally process the results into a JSON file with dependencies
categorized by license expression. The resulting JSON file might be easier to
use for certain policy or automation processes. You can generate this by calling
npm-spdx report:
./npm-spdx report <RESULTS.JSON> <SUMMARY.JSON>
This will read in the results.json file you obtained from Step 1, and process
it into a JSON file that will be saved to the file specified in
<SUMMARY.JSON>.
npm-spdx is available under the Apache License, version 2.0.
Copyright The Linux Foundation and npm-spdx contributors.
SPDX-License-Identifier: Apache-2.0