Unsure how to use this tool

[alex4200]

I managed to create a docker image and I was able to "analyze" a folder using the command

docker run -v $PROJECT:/project ort --info analyze -f JSON -i /project -o output

The output says:

Writing analyzer result to '/output/analyzer-result.json'.
Found 0 error(s), 0 warning(s), 0 hint(s).

But what it the meaning of an error, a warning and a hint?

I then tried to use the "scan" function to "check" (?) the license in the project with the following command:

docker run -v $PROJECT:/project ort --info scan --input-path project --output-dir output2

which also gave the same result Found 0 error(s), 0 warning(s), 0 hint(s). and with outputting a json file to '/output2/scan-result.yml'. But since this file is inside the image, it is very complicated to read that file.

Is there anywhere a tutorial on how to use this tool, and wehat this tool is actually for, explained in plain English terms?

[MarcelBochtler]

Hi @alex4200, did you see the getting started guide? This explains in detail how to build and run ORT.

Docker complicates the setup a bit, you might want to bind mount the output directory to get easy access to the resulting files.

[alex4200]

Hello @MarcelBochtler,

in that tutorial I see a sentence like this one:

The next step is to run the analyzer. It will create a JSON or YAML output file containing the full dependency tree of mime-types including the metadata of mime-types and its dependencies.

I am not sure what the mime-type has to do at all with "open source" things this tool is supposed to do. I thought it would maybe check the license, license dependencies, that the copyright is correct - things like that.

Maybe this is the wrong tool at all?

[sschuberth]

I am not sure what the mime-type has to do at all with "open source" things this tool is supposed to do.

The mime-type project is just an arbitrary example project that is used for analysis / scanning for the sake of getting started with ORT usage and demonstrating how ORT works. Usually, you'd probably analyze / scan your company internal project's source code instead of the mime-type project.

[alex4200]

@sschuberth But how? What information can I get?

How do I query a repository to answer the question: Is the license OK? How do I query a repository to answer the question: Is the copyright OK?

Maybe you can give two specific examples.

[sschuberth]

How do I query a repository to answer the question: Is the license OK?

Whether the license is "OK" highly depends on your use case, like the type / way of distribution, company policy, legislation, and other things. As such there is no general answer to that question, which is why you need to provide (quite a bit) of configuration to ORT, most importantly license classifications and policy rules. ORT deliberately does not provide these itself to not give any sort of legal advice, and eventually run into trouble.

[alex4200]

But then, how do I use/configure ORT to answer this question?

The tutorial does not seem to help here. How do I configure ORT so it can check the licenses of many repositories I need to check?

[sschuberth]

But then, how do I use/configure ORT to answer this question?

Could you please be more specific about what information you're missing from the linked docs that I provided?

The tutorial does not seem to help here.

Correct. The getting started docs do not go into the depth of all ORT configuration options, but only explain the basic usage / workflow independent of the concrete license / policy configuration.

How do I configure ORT so it can check the licenses of many repositories I need to check?

You need to tell ORT in what regard to check the licenses. Are you fine with a GPL-2.0-only license finding in your context or not? Maybe you're only not fine with the license if the dependency under that license is statically linked to our project, but you're fine if linked dynamically? This is all configuration you need to provide to ORT in the form of policy rules.

[alex4200]

Now I am even more confused. In the documentation it talks about a ort.conf file, but you now mention a rules.kts file.

But lets stay on that rules.kts file:

The rules.kts file allows you to define custom policy rules that automatically apply to review scan findings. Rules are written in a Kotlin-based DSL.

What then hell are Koptlin-based DSL?

For each policy rule violation, you can define 'How to fix' follow-up actions to help users resolve policy rules violations by themselves.

And how to write these rules?

You can use the rules.kts example as the base script file for your policy rules. Note that this example depends on the licenses categorizations defined in the license-classifications.yml example, see the license-classifications.yml docs.

I looked into the example, but I have no idea what the content means.

It looks I have to

• learn a complete new language
• learn how to setup ORT
• become a lawyer to know every specific of copyright law?

Is that correct?

[sschuberth]

Basically yes, that's correct. ORT is an enterprise-grade tool that's usually operated by a team of people, including legal experts, developers, and administrators. If you're not a bit of everything, and / or willing to dive deep into the OSS compliance domain, then ORT is probably not for you.

[alex4200]

Good, then it is probably not for me. Thanks for the clarification. Should be mentioned on the README on the top...