Collect license of detected package dependencies without installling, doing a remote API lookup

[amiya-elear]

Description

Hi, My question is that is it possible to check all package license written in JSON file with out installing then using code-scan tool kit . if its possible then how?

[pombredanne]

@amiya-elear Which package types are you interested most in? And would you have lock files (such as npm package-lock.json/Gemfile.lock and similar.)

At the moment ScanCode can only scan things that exists in the scanned directory tree, meaning the packages would need to be provisioned and installed. To run a mock build and provision then scan all dependencies, https://github.com/heremaps/oss-review-toolkit is another tools that builds on scancode and will fetch these (and this would install them at least temporarily)

Eventually there is a plan to do something in scancode with this https://github.com/nexB/dependentcode and https://github.com/nexB/dependentcode/issues/1 in particular: this is not yet started though.

[amiya-elear]

i am interested in npm and nodjs package , no i don't have any lock file inside the directory . suppose i have one package.json file can code scan use this file and give me all dependency package license . is it possible or its mandatory to do npm install and after that run codescan. any other tool available to do the same job.

[pombredanne]

suppose i have one package.json file can code scan use this file and give me all dependency package license . is it possible or its mandatory to do npm install and after that run codescan. any other tool available to do the same job.

You have to run an npm install and there is no tool I know of that would not require to do this first.

[amiya-elear]

with out doing npm install we can't find out the dependency license of tool which used in package.json file

[pombredanne]

with out doing npm install we can't find out the dependency license of tool which used in package.json file

This is correct.

[amiya-elear]

thanks.

[pombredanne]

@amiya-elear shall we close this now? or not?

[pombredanne]

I am actually thinking to add a live scan feature that will fetch remote dependencies details optionally. So I will not close!

[pombredanne]

We have new inspectors in https://github.com/nexB/python-inspector and https://github.com/nexB/nuget-inspector that can do the live resolution of deps. Then we have FetchCode and purldb that can fetch API data. The end-to-end would come together in ScanCode.io as a pipeline, so I am moving this issue there,

[kasakirankumar]

@pombredanne , could you please provide more information regarding this online scan option with scancode. is it available for all to use?. I also face same issue like tool can scan for only available files only, but not from dependencies mentioned in package manager file.

[pombredanne]

@kasakirankumar this option is not yet available, though some early elements of it have been implemented with python-inspector and the new "inspect_manifest" pipeline

[kasakirankumar]

@pombredanne ,Thank you for the confirmation and quick reply.

[pombredanne]

@kasakirankumar actually we are now likely have something related with "on demand" scanning in the purlDB that can then be used for a lookup