[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-7550":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":45,"readmeContent":46,"aiSummary":47,"trendingCount":16,"starSnapshotCount":16,"syncStatus":48,"lastSyncTime":49,"discoverSource":50},7550,"ort","oss-review-toolkit\u002Fort","oss-review-toolkit","A suite of tools to automate software compliance checks.","https:\u002F\u002Foss-review-toolkit.org",null,"Kotlin",2031,382,36,278,0,3,6,32,10,71.95,"Apache License 2.0",false,"main",true,[27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44],"compliance","copyright","cra","cyclonedx","dependencies","dependency-graph","dora","hacktoberfest","license","license-management","open-source-licensing","ospo","oss-compliance","package-manager","sbom","sbom-generator","sca","spdx","2026-06-12 04:00:34","![OSS Review Toolkit Logo](.\u002Flogos\u002Fort.png)\n\n&nbsp;\n\n[![Slack][1]][2]\n\n[![Static Analysis][3]][4] [![Build and Test][5]][6] [![Code coverage][7]][8]\n\n[![REUSE status][9]][10] [![OpenSSF Best Practices][11]][12] [![OpenSSF Scorecard][13]][14]\n\n[1]: https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FJoin_us_on_Slack!-ort--talk-blue.svg?longCache=true&logo=slack\n[2]: http:\u002F\u002Fslack.oss-review-toolkit.org\n[3]: https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\u002Factions\u002Fworkflows\u002Fstatic-analysis.yml\u002Fbadge.svg\n[4]: https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\u002Factions\u002Fworkflows\u002Fstatic-analysis.yml\n[5]: https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\u002Factions\u002Fworkflows\u002Fbuild-and-test.yml\u002Fbadge.svg\n[6]: https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\u002Factions\u002Fworkflows\u002Fbuild-and-test.yml\n[7]: https:\u002F\u002Fcodecov.io\u002Fgh\u002Foss-review-toolkit\u002Fort\u002Fbranch\u002Fmain\u002Fgraph\u002Fbadge.svg?token=QD2tCSUTVN\n[8]: https:\u002F\u002Fapp.codecov.io\u002Fgh\u002Foss-review-toolkit\u002Fort\n[9]: https:\u002F\u002Fapi.reuse.software\u002Fbadge\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\n[10]: https:\u002F\u002Fapi.reuse.software\u002Finfo\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\n[11]: https:\u002F\u002Fwww.bestpractices.dev\u002Fprojects\u002F4618\u002Fbadge\n[12]: https:\u002F\u002Fwww.bestpractices.dev\u002Fprojects\u002F4618\n[13]: https:\u002F\u002Fapi.scorecard.dev\u002Fprojects\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\u002Fbadge\n[14]: https:\u002F\u002Fscorecard.dev\u002Fviewer\u002F?uri=github.com\u002Foss-review-toolkit\u002Fort\n\n# Introduction\n\nThe OSS Review Toolkit (ORT) is a FOSS policy automation and orchestration toolkit that you can use to manage your (open source) software dependencies in a strategic, safe and efficient manner.\n\nYou can use it to:\n\n* Generate CycloneDX, SPDX SBOMs, or custom FOSS attribution documentation for your software project\n* Automate your FOSS policy using risk-based Policy as Code to do licensing, security vulnerability, InnerSource and engineering standards checks for your software project and its dependencies\n* Create a source code archive for your software project and its dependencies to comply with certain licenses or have your own copy as nothing on the internet is forever\n* Correct package metadata or licensing findings yourself, using InnerSource or with the help of the FOSS community\n\nORT can be used as a library (for programmatic use), via a command line interface (for scripted use), or via its CI integrations.\nIt consists of the following tools which can be combined into a *highly customizable* pipeline:\n\n* [*Analyzer*](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002Fdocs\u002Ftools\u002Fanalyzer):\n  Determines the dependencies of projects and their metadata, abstracting which package managers or build systems are actually being used.\n* [*Downloader*](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002Fdocs\u002Ftools\u002Fdownloader):\n  Fetches all source code of the projects and their dependencies, abstracting which Version Control System (VCS) or other means are used to retrieve the source code.\n* [*Scanner*](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002Fdocs\u002Ftools\u002Fscanner):\n  Uses configured source code scanners to detect license \u002F copyright findings, abstracting the type of scanner.\n* [*Advisor*](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002Fdocs\u002Ftools\u002Fadvisor):\n  Retrieves security advisories for used dependencies from configured vulnerability data services.\n* [*Evaluator*](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002Fdocs\u002Ftools\u002Fevaluator):\n  Evaluates custom policy rules along with custom license classifications against the data gathered in preceding stages and returns a list of policy violations, e.g. to flag license findings.\n* [*Reporter*](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002Fdocs\u002Ftools\u002Freporter):\n  Presents results in various formats such as visual reports, Open Source notices or Bill-Of-Materials (BOMs) to easily identify dependencies, licenses, copyrights or policy rule violations.\n* *Notifier*:\n  Sends result notifications via different channels (like [emails](.\u002Fexamples\u002Fexample.notifications.kts) and \u002F or JIRA tickets).\n\nAlso see the [list of related tools](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002Fdocs\u002Frelated-tools) that help with running ORT.\n\n## Documentation\n\nFor detailed information, see the documentation on the [ORT Website](https:\u002F\u002Foss-review-toolkit.org\u002Fort\u002F).\nIf you have further questions, reach out to the ORT community on [Slack][2] or contact the team by [email](mailto:ort@oss-review-toolkit.org).\n\n# Installation\n\n## System requirements\n\nORT is being continuously used on Linux, Windows and macOS by the [core development team](https:\u002F\u002Fgithub.com\u002Forgs\u002Foss-review-toolkit\u002Fpeople), so these operating systems are considered to be well-supported.\n\nTo run the ORT binaries (also see [Installation from binaries](#from-binaries)) at least Java 21 is required.\nMemory and CPU requirements vary depending on the size and type of project(s) to analyze \u002F scan, but the general recommendation is to configure Java with 8 GiB of memory and to use a CPU with at least 4 cores.\n\n```shell\n# This will give the Java Virtual Machine 8GB Memory.\nexport JAVA_OPTS=\"$JAVA_OPTS -Xmx8g\"\n```\n\nIf ORT requires external tools to analyze a project, these tools are listed by the `ort requirements` command.\nIf a package manager is not listed there, support for it is integrated directly into ORT and does not require any external tools to be installed.\n\n## From binaries\n\n### CLI distribution\n\nHead over to the [releases](https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\u002Freleases) page.\nFrom the \"Assets\" section of your chosen release, download the distribution archive of the desired type.\nTypically that is `.zip` for Windows and `.tgz` otherwise; but the contents of the archives are the same.\nThe `ort-*` archives contain the [ORT main](.\u002Fcli\u002F) distribution, while the `orth-*` archives contain the [ORT helper](.\u002Fcli-helper\u002F) distribution.\nUnpack the archive to an installation directory.\nThe scripts to run ORT are located at `bin\u002Fort` and `bin\\ort.bat`, or `bin\u002Forth` and `bin\\orth.bat`, respectively.\n\n### Docker distribution\n\nIn addition to the CLI, ORT is also distributed as a Docker image that contains all tools required by ORT (see the `ort requirements` command).\nTo run ORT from the latest version of that image (which will be downloaded if needed) use:\n\n```shell\ndocker run ghcr.io\u002Foss-review-toolkit\u002Fort --help\n```\n\n## From sources\n\nInstall the following basic prerequisites:\n\n* Git (any recent version will do).\n\nThen clone this repository.\n\n```shell\ngit clone https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\n# If you intend to run tests, you have to clone the submodules too.\ncd ort\ngit submodule update --init --recursive\n```\n\n### Build using Docker\n\nInstall the following basic prerequisites:\n\n* Docker 18.09 or later (and ensure its daemon is running).\n* Enable [BuildKit](https:\u002F\u002Fdocs.docker.com\u002Fdevelop\u002Fdevelop-images\u002Fbuild_enhancements\u002F#to-enable-buildkit-builds) for Docker.\n\nChange into the directory with ORT's source code and run `docker build -t ort .`.\nAlternatively, use the script at `scripts\u002Fdocker_build.sh` which also sets the ORT version from the Git revision.\n\n### Build natively\n\nInstall these additional prerequisites:\n\n* Java Development Kit (JDK) version 21 or later; also remember to set the `JAVA_HOME` environment variable accordingly.\n\nChange into the directory with ORT's source code and run `.\u002Fgradlew :cli:installDist` (on the first run this will bootstrap Gradle and download all required dependencies).\n\n## Basic usage\n\nDepending on how ORT was installed, it can be run in the following ways:\n\n* If the Docker image was built locally as described above, use\n\n  ```shell\n  docker run ort --help\n  ```\n\n  You can find further hints for using ORT with Docker in the [documentation](.\u002Fwebsite\u002Fdocs\u002Fguides\u002Fdocker.md).\n\n* If the ORT distribution was built from sources, use\n\n  ```shell\n  .\u002Fcli\u002Fbuild\u002Finstall\u002Fort\u002Fbin\u002Fort --help\n  ```\n\n* If running directly from sources via Gradle, use\n\n  ```shell\n  .\u002Fgradlew -q :cli:run --args=\"--help\"\n  ```\n\n  Note that in this case the working directory used by ORT is that of the `cli` project, not the directory `gradlew` is located in (see https:\u002F\u002Fgithub.com\u002Fgradle\u002Fgradle\u002Fissues\u002F6074).\n\n# Contributing\n\nAll contributions are welcome.\nIf you are interested in contributing code, please read our [contributing guide](https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002F.github\u002Fblob\u002Fmain\u002FCONTRIBUTING.md).\nFor everything from reporting bugs to asking questions, please go through the [issue workflow](https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort\u002Fissues\u002Fnew\u002Fchoose).\n\n## Statistics\n\n![Alt](https:\u002F\u002Frepobeats.axiom.co\u002Fapi\u002Fembed\u002F39cfad4ac09c3b4a361a1365ccf1a65c612a8ed0.svg \"Repobeats analytics image\")\n\n# License\n\nCopyright (C) 2017-2026 [The ORT Project Copyright Holders](.\u002FNOTICE).\n\nSee the [LICENSE](.\u002FLICENSE) file in the root of this project for license details.\n\nOSS Review Toolkit (ORT) is a [Linux Foundation project](https:\u002F\u002Fwww.linuxfoundation.org\u002F) and part of [ACT](https:\u002F\u002Fautomatecompliance.org\u002F).\nTo learn more on how the project is governed, including its charter, see the [ort-governance](https:\u002F\u002Fgithub.com\u002Foss-review-toolkit\u002Fort-governance) repository.\n","OSS Review Toolkit (ORT) 是一套用于自动化软件合规性检查的工具。它支持生成CycloneDX和SPDX格式的软件物料清单（SBOM），并可自定义开源软件归属文档；通过基于风险的策略即代码实现对软件项目及其依赖项的许可、安全漏洞、内部开源及工程标准进行自动化检查；创建源代码存档以满足特定许可要求或保留副本。ORT采用Kotlin编写，具有高度可定制性，既可作为库被程序化调用，也可通过命令行接口或CI集成使用。适用于需要管理开源软件依赖关系的企业和个人开发者，帮助他们确保软件供应链的安全性和合规性。",2,"2026-06-11 03:13:01","top_language"]