1. Dependency Management Data
  2. Cookbooks
  3. Getting Started with OSS Review Toolkit's data

Getting Started with OSS Review Toolkit's data

If you're already using the OSS Review Toolkit (ORT) project for analysing your dependencies, for instance to perform policy decisions based on them, you can import the data that ORT discovers directly into dependency-management-data, without necessarily needing to look at different tooling to produce data that dependency-management-data can consume.

Among the various output formats that ORT's reporter supports are the ability to produce CycloneDX and SPDX Software Bill of Materials (SBOMs). As noted in the Getting Started with SBOM data cookbook, several types of SBOMs are supported by dependency-management-data.

Therefore, once you've processed your repositories, you can then export the results as an SBOM and utilise dependency-management-data's tooling to further visualise and report on the data, for instance flagging up advisories.

Generating data

First, we need to analyse a repository:

cd /path/to/a/repo
# it's recommended to pin the Docker images, instead of pulling :latest
docker run -ti -v $PWD:/app ghcr.io/oss-review-toolkit/ort:latest analyze -f YAML -i /app -o /app

Once we've analysed it, we can then optionally scan the repository for further details:

# it's recommended to pin the Docker images, instead of pulling :latest
docker run -ti -v $PWD:/app ghcr.io/oss-review-toolkit/ort:latest scan --output-dir /app/out --ort-file /app/out/analyzer-result.yml

Finally, we can produce the SBOMs via the report commands:

# as a CycloneDX SBOM
docker run -ti -v $PWD:/app ghcr.io/oss-review-toolkit/ort:latest report --output-dir /app/out --ort-file /app/out/scan-result.yml -f CycloneDx
# as an SPDX SBOM
docker run -ti -v $PWD:/app ghcr.io/oss-review-toolkit/ort:latest report --output-dir /app/out --ort-file /app/out/scan-result.yml -f SpdxDocument

Consuming data

Once produced, the resulting SBOMs can then be imported using dmd import sbom, for instance:

dmd db init --db dmd.db
# whitespace added for readability only
dmd import sbom --db dmd.db \
  bom.cyclonedx.xml \
  --platform gitlab \
  --organisation tanna.dev \
  --repo dependency-management-data
# or
dmd import sbom --db dmd.db \
  bom.spdx.yml \
  --platform gitlab \
  --organisation tanna.dev \
  --repo dependency-management-data