oss_assets.json specification v1.0

oss_assets.json is a JSON list of component specification objects. It serves as the input for OSS scanner, license compliance assistant and Vulnerability detector.

Attributes of component specification objects

Component Identification Attributes

  • component: Identifies the component name
  • vendor : Identifies the vendor name
  • dependency: Dependency type, it can have these values:
    • self: Identifies the component corresponding to the current implementation
    • runtime: Identifies a runtime dependency, i.e. not distributed
    • package: Identifies a package dependency which is distributed with the current component.
    • builtin: The source code of this component is part of the source code of this component.
    • ignore: Ignore this component. This attribute can be used to mark false positives.
  • alias : Array of strings of alternative names for this component, each string formatted like vendor/component. Example: ['apache/tomcat', 'tomcat/tomcat']

License Compliance Attributes

  • license : SPDX License Identifier. See SPDX License List
  • license_url : URL of the raw license document for the component, if available.
  • license_text : Base64 encoded text of the license

Security Attributes

  • cpe: CPE Identifier of the component, if known
  • fixed_cves: Array of strings containing the list of CVEs that have been fixed for the component.


    "component" : "mycomponent",
    "vendor" : "mycompany",
    "dependency" : "self",
    "license" : "BSD-3-clause",
    "license_url" : "https://raw.example.com/mycompany/mycomponent/LICENSE"
    "component" : "tomcat",
    "vendor" : "apache",
    "dependency" : "runtime",
    "license" : "Apache-2.0",
    "license_url" : "https://raw.githubusercontent.com/apache/tomcat/master/LICENSE"