Skip to content

Fossology spdx web api

spdxtools edited this page Oct 4, 2013 · 30 revisions

Web API

1. Title: Real-time license scan for package(by FOSSOlogy agent)

Users can use wget to return file level information like sha1, license, copyright, etc. and extracted license information(SPDX spec) :
wget -qO - --no-check-certificate --post-file=mypackage.tar.gz --timeout=0 http://myfossologyspdxserver/
?mod=spdx_license_once&noCopyright=false&jsonOutput=false&packageNameInLog=
For example:
wget -qO - --no-check-certificate --post-file=./time-1.7.tar --timeout=0 https://fossologyspdx.ist.unomaha.edu/
?mod=spdx_license_once&noCopyright=false&jsonOutput=false&packageNameInLog=time-1.7.tar
You may get:

...other files info...
FileName: getopt.h
FileType: SOURCE
FileChecksum: SHA1: c5dca7ccc0db510fa7eeff1c5edb6fe66c598652
LicenseConcluded: NOASSERTION
LicenseInfoInFile: GPL-2.0+
FileCopyrightText: copyright (c) 1989, 90, 91, 92, 93, 94 free software foundation, inc.
...other files info...

Notes:

  1. Because wget's default timeout is 900seconds,[--timeout=0]option could void wget re-try before the command return the value.

options:

  1. noCopyright: true/false. Only when this option is set to "true", copyright information is scanned.
  2. recursiveUnpack: true/false. Only when this option is set to "true", sent package is recursively unpacked. Skipping this option equals setting to "false".
  3. jsonOutput: true/false. Only when this option is set to "true", scanning result is output in JSON format. Skipping this option equals setting to "false".
  4. packageNameInLog: log file name. Only when this option is set to not empty, the scanning process is logged to [packageNameInLog].log file. The default log path is /var/log/fossologyspdx/; the path could be set as "LOGDIR" in fossologyspdx.conf file(location dependent on your install, but probably like /etc/fossology/fossologyspdx.conf) Skipping this option equals no logging.
    You may get:

{"file_level_info":[{"FileName":"stamp-vti","FileType":"SOURCE","FileChecksum":"8e5113f6f47ce34e0437c2105441dbb70f01491a"

Here you can view it formatted output:

{
"file_level_info":[
{
"FileName":"stamp-vti",
"FileType":"SOURCE",
"FileChecksum":"8e5113f6f47ce34e0437c2105441dbb70f01491a",
"FileChecksumAlgorithm":"SHA1",
"LicenseConcluded":"NOASSERTION",
"LicenseInfoInFile":"No_license_found",
"FileCopyrightText":"NOASSERTION</text>"
},
...
],
"extracted_license_info":[
{
"LicenseName":"FSF",
"ExtractedText":"Copyright (C) 2003, 2006-2007 Free Software Foundation, Inc.\r\nThis file is free software; the Free Software Foundation\r\ngives unlimited permission to copy and/or distribute it,\r\nwith or without modifications, as long as this notice is preserved.</text>",
"LicenseCrossReference":""
},
...
]
}

The approach of the API is:
1: Unpack package by using FOSSology ununpack agent.
2: Scan unpacked files by using FOSSology nomos agent.
3: Scan unpacked files by using FOSSology copyright agent(only when option is set to "noCopyright=true").
4: Format information for output.(In SPDX spec v1.1 now)

You can find details of above agent from here
You also can find other details about How to use FOSSology from the command line.

Clone this wiki locally