FOSSLight Dependency Scanner

License Current python package version. REUSE status

FOSSLight Dependency Scanner utilizes the open source software for analyzing each package manager dependencies. We choose the open source software for each package manager that shows not only the direct dependencies but also the transitive dependencies including the information of dependencies such as oss name, oss version and license name.

The list of supported Package Managers is as follows.

User Guide

📋 Prerequisite

Because we utilize the different open source software to analyze the dependencies of each package manager, you need to set up the below Prerequisite steps according to package manager to analyze.


  1. Install the NPM License Checker to analyze the npm dependencies.
$ npm install -g license-checker

To install license-checker globally, ‘-g' option is required. If you do not have ‘sudo' access, then you can change default path to install global modules.

$ npm set prefix ~/.npm
$ PATH=~/.npm/bin:$PATH
  1. Run the command to install the dependencies. (optional)
$ npm install
  • If the ‘package.json' file exists in the input directory, it will be executed automatically by FOSSLight Dependency Scanner. So you can skip it.
  • If the ‘node_modules' directory already exists, you can run FOSSLight Dependency Scanner by setting the input directory to the path where node_modules is located.


  1. Add the License Gradle Plugin in build.gradle file.
plugins {
    id 'com.github.hierynomus.license' version '0.15.0'

downloadLicenses {
    includeProjectDependencies = true
    dependencyConfiguration = 'runtimeClasspath'
  • If the gradle version is 4.6 or lower, then add the ‘runtime' instead of ‘runtimeClasspath' in the dependencyConfiguration.
  1. Run the ‘downloadLicenses' task.
$ gradlew downloadLicenses

Android (gradle)

  1. Add the android-dependency-scanning Plugin in build.gradle file.
buildscript {
    repositories {

    dependencies {
        classpath 'org.fosslight:android-dependency-scanning:1.0.0'
  1. Add the below line in build.gradle file in the app(your application name, default : app) directory.
    apply plugin: 'org.fosslight'
  2. Run the ‘generateLicenseTxt' task.
$ gradlew generateLicenseTxt


You can run this tool with virtual environment for separating the project dependencies from system global dependencies.

  1. Create and activate the virtual environment
// virtualenv example
$ virtualenv -p /usr/bin/python3.6 venv
$ source venv/bin/activate

// conda example
$ conda create --name {venv name}
$ conda activate {venv name}
  1. Install the dependencies in the virtual environment.
// If you install the dependencies with requirements.txt...
$ pip install -r requirements.txt

Maven (optional)

  • If the ‘pom.xml' is located in the input directory, FOSSLight Dependency Scanner will automatically add and execute the license-maven-plugin. So you can skip the prerequisites below.
  1. Add the license-maven-plugin into pom.xml file.
  1. Run the license-maven-plugin task.
$ mvnw license:aggregate-download-licenses


  1. Run the flutter_oss_licenses.
$ flutter pub get
$ flutter pub global activate flutter_oss_licenses
$ flutter pub global run flutter_oss_licenses:generate.dart


  1. Install the pod package through Podfile.
$ pod install


  1. Create a github personal access token and use it with ‘-t' option when running the FOSSLight dependency scanner. It needs the Github API to get the license information of the github repository.
    Please refer the github docs guide to create a token.


  1. Create ‘Cartfile.resolved' by running the package installation command.
    $ carthage update
  2. Create a github personal access token and use it with ‘-t' option when running the FOSSLight dependency scanner. It needs the Github API to get the license information of the github repository.
    Please refer the github docs guide to create a token.

🎉 How to install

FOSSLight Dependency Scanner can be installed using pip3.
It is recommended to install in the python 3.6 + virtualenv environment.

$ pip install fosslight-dependency

🚀 How to run

You can run the FOSSLight Dependency Scanner with options based on your package manager.

$ fosslight_dependency
Option Argument Description
-m npm, maven, gradle, pip, pub, cocoapods, android, swift, carthage (optional)
package manager for your project
-p (path) (optional)
input directory
-o (path) (optional)
output file directory
-a conda example: ‘conda activate (venv name)' (pypi only required)
virtual environment activate command
-d conda example: ‘conda deactivate' (pypi only required)
virtual environment deactivate command
-c (customized output directory name) (gradle, maven only optional)
customized build output directory name (default: target)
-n (app name) (android only optional)
app directory name (default: app)
-v N/A release version
-t github token (swift, carthage only required)
github personal access token

Note that input directory should be the top directory of the project where the manifest file of the package manager is located. For example, if your project uses the NPM package manager, then the input directory should be the path where ‘package.json' file is located. The manifest file of each package manager is as follows:

Package manager Npm Pip Maven Gradle (Android) Pub Cocoapods Swift Carthage
Manifest file package.json requirements.txt pom.xml build.gradle pubspec.yaml Podfile Package.resolved Cartfile.resolved

In other words, the input directory(‘-p' option) should be designated as the top directory of the project where the package manager's manifest file exists as above.

<Tips to run for swift package manager>

  • You can run "fosslight_dependency -m swift -t {token} command in the path where {Projectname}.xcodeproj file is located.
  • Then it can find the ‘Package.resolved' file in {Projectname}.xcodeproj/project.xcworkspace/xcshareddata/swiftpm and run automatically.

📁 Result

FOSSLight Dependency Scanner creates the result file that has xlsx extension (Microsoft Excel file).

It prints the OSS information based on manifest file(package.json, pom.xml) of dependencies (including transitive dependencies). For a unique OSS name, OSS name is printed such as (package_manager):(oss name) or (group id):(artifact id).

Package manager OSS Name Download Location Homepage
Npm npm:(oss name) Priority1. repository in package.json
Priority2. name)/v/(oss version) name)
Pip pypi:(oss name) name)/(version) homepage in (pip show) information
& Gradle
& Android
(group_id):(artifact_id) id)/(artifact id)/(version) id)/(artifact id)
Pub pub:(oss name) name)/versions/(version) homepage in (pub information)
Cocoapods cocoapods:(oss name) source in (pod spec information) name)
Swift swift:(oss name) repositoryURL in Package.resolved repositoryURL in Package.resolved
Carthage carthage:(oss name) github repository in Cartfile.resolved github repository in Cartfile.resolved