Open Source Review Toolkit

Automate & Orchestrate Your Open Source Compliance & Security

The Open Source Review Toolkit (ORT) is an open-source software policy automation and orchestration toolkit designed to help you strategically, safely, and efficiently manage third-party open-source software dependencies.

Why Use ORT?

ORT simplifies and automates open source software (OSS) compliance and security processes, allowing you to:

Generate SBOMs & Compliance Documentation

  • Create CycloneDX or SPDX Software Bill of Materials (SBOMs)

  • Generate custom FOSS attribution documentation for your projects

Enforce Open Source Policies Automatically

  • Use Policy as Code to check for licensing compliance, security vulnerabilities, InnerSource usage, and engineering standards

Ensure Long-Term Accessibility & Compliance

  • Archive source code for your projects and dependencies to meet licensing requirements and maintain a local copy

Improve Metadata & Licensing Accuracy

  • Correct package metadata and licensing findings manually, via InnerSource, or with community contributions

Flexible & Customizable

ORT can be integrated into your workflow in multiple ways:

  • As a library for programmatic use

  • Through a command-line interface (CLI) for scripted execution

  • Via CI/CD integrations for automated pipeline enforcement

Powerful Tooling for Open Source Governance

ORT consists of multiple tools that can be combined into a highly customizable pipeline, giving you full control over your OSS policy automation.

ORT Analyzer Analyzer - determines the dependencies of projects and their metadata, abstracting which package managers or build systems are actually being used.

 

ORT DownloaderDownloader - retrieves source code of the projects and their dependencies,   abstracting which Version Control System (VCS) or other means are used to retrieve the source code.

 

ORT Scanner

Scanner - uses configured source code scanners to detect license / copyright findings, abstracting the type of scanner.

 

ORT Advisor

Advisor - retrieves security advisories for used dependencies from configured vulnerability data services.

 

ORT Evaluator

Evaluator - evaluates custom policy rules along with custom license classifications against the data gathered in preceding stages and returns a list of policy violations, e.g. to flag license findings.

 

ORT Reporter

Reporter - presents results in various formats such as visual reports, Open Source notices or Bill-Of-Materials (BOMs) to easily identify dependencies, licenses, copyrights or policy rule violations.

The relationship between Components is shown below

Open Source Review Toolkit components

 

Source Code Control ORT Services

Source Code Control offer a range of services to help organisations implement, train, support and maintain ORT.

We also can offer ORT as a Service (hosted ORT) complete with a intuitive interface wrapper.

The wrapper in this context serves as a combined interface that integrates all six tools of the OSS Review Toolkit (ORT) into a single, streamlined platform(webpage). It simplifies the scanning process by providing a centralized system for running compliance checks, analysing dependencies, and generating reports.
Since this is a SaaS-based solution, it is hosted on a webpage where users can access the scanning services without the need for local installation. The system will be accessible from anywhere and will support repository scanning via cloud platforms like GitHub, Bitbucket, and other VCS tools, as well as on-premises file selection

Dependency Graph Visualization

Coming soon. The Dependency Graph Visualization aims to provide a clear and intuitive representation of dependencies, helping users identify risks, hidden dependencies, and vulnerabilities at a glance. Inspired by the Bitsea visualization concept, this solution will incorporate graphical representations, color-coded risk indicators, and interactive filtering to enhance software compliance and security assessments. By leveraging an SBOM-based approach, the visualization will enable seamless tracking of third-party components, licensing requirements, and potential conflicts.

 

 

 

 

For more information contact us