Skip to content

Fossology spdx web api

spdxtools edited this page Mar 14, 2014 · 30 revisions

Web API

1. Title: Real-time license scan for package(by FOSSOlogy agent)

Users can use curl to return file level information like sha1, license, copyright, etc. and extracted license information(SPDX spec) or low definition of full SPDX output :
curl https://myfossologyspdxserver/ -k -F "mod=spdx_license_once" -F "noCopyright=false" -F "jsonOutput=false" -F "fullSPDXFlag=true" -F "packageNameInLog=mypackage.tar.gz" -F "[email protected]"
For example, we can use the following command to get full spdx file:
curl https://fossologyspdx.ist.unomaha.edu/ -k -F "mod=spdx_license_once" -F "noCopyright=false" -F "jsonOutput=false" -F "fullSPDXFlag=true" -F "packageNameInLog=time-1.7.tar" -F "[email protected]" -o time-1.7.tar.spdx
Users can also use wget to call the api (curl is suggested to handle large file):
wget -qO - --no-check-certificate --post-file=mypackage.tar.gz --timeout=0 http://myfossologyspdxserver/
?mod=spdx_license_once&noCopyright=false&jsonOutput=false&fullSPDXFlag=false&packageNameInLog=
For example:
wget -qO - --no-check-certificate --post-file=./time-1.7.tar --timeout=0 https://fossologyspdx.ist.unomaha.edu/
?mod=spdx_license_once&noCopyright=false&jsonOutput=false&fullSPDXFlag=false&packageNameInLog=time-1.7.tar

You may get:

...other files info...
FileName: getopt.h
FileType: SOURCE
FileChecksum: SHA1: c5dca7ccc0db510fa7eeff1c5edb6fe66c598652
LicenseConcluded: NOASSERTION
LicenseInfoInFile: GPL-2.0+
FileCopyrightText: copyright (c) 1989, 90, 91, 92, 93, 94 free software foundation, inc.
...other files info...

Notes:

  1. Because wget's default timeout is 900seconds,[--timeout=0]option could void wget re-try before the command return the value.

options:

  1. noCopyright: true/false. Only when this option is set to "true", copyright information is scanned.
  2. recursiveUnpack: true/false. Only when this option is set to "true", sent package is recursively unpacked. Skipping this option equals setting to "false". This option should be set as "false" or skipped in [Yocto] Project.
  3. jsonOutput: true/false. Only when this option is set to "true", scanning result is output in JSON format. Skipping this option equals setting to "false". This option should be set as "true" in [Yocto] Project.
  4. fullSPDXFlag: true/false. Only when this option is set to "true", low definition of full SPDX contents are output. Skipping this option equals setting to "false". This option should be set as "true" when user want to generate SPDX file from command line; this option should be set as "false" in [Yocto] Project.
  5. packageNameInLog: log file name. Only when this option is set to not empty, the scanning process is logged to [packageNameInLog].log file. The default log path is /var/log/fossologyspdx/; the path could be set as "LOGDIR" in fossologyspdx.conf file(location dependent on your install, but probably like /etc/fossology/fossologyspdx.conf) Skipping this option equals no logging.
    You may get:

{"file_level_info":[{"FileName":"stamp-vti","FileType":"SOURCE","FileChecksum":"8e5113f6f47ce34e0437c2105441dbb70f01491a"

Here you can view it formatted output:

{
"file_level_info":[
{
"FileName":"stamp-vti",
"FileType":"SOURCE",
"FileChecksum":"8e5113f6f47ce34e0437c2105441dbb70f01491a",
"FileChecksumAlgorithm":"SHA1",
"LicenseConcluded":"NOASSERTION",
"LicenseInfoInFile":"No_license_found",
"FileCopyrightText":"NOASSERTION</text>"
},
...
],
"extracted_license_info":[
{
"LicenseName":"FSF",
"ExtractedText":"Copyright (C) 2003, 2006-2007 Free Software Foundation, Inc.\r\nThis file is free software; the Free Software Foundation\r\ngives unlimited permission to copy and/or distribute it,\r\nwith or without modifications, as long as this notice is preserved.</text>",
"LicenseCrossReference":""
},
...
]
}

The approach of the API is:
1: Unpack package by using FOSSology ununpack agent.
2: Scan unpacked files by using FOSSology nomos agent.
3: Scan unpacked files by using FOSSology copyright agent(only when option is set to "noCopyright=true").
4: Format information for output.(In SPDX spec v1.1 now)

You can find details of above agent from here
You also can find other details about How to use FOSSology from the command line.

[Notice]
Some php config variables (like max_execution_time) may need to be adjusted for FOSSology+SPDX. Particularly for large jobs, or if your system is slow.
Please see INSTALL file Section 3 - After Installation for details

Clone this wiki locally