oss_assets.json specification v1.0

oss_assets.json is a JSON list of component specification objects. It serves as the input for OSS scanner, license compliance assistant and Vulnerability detector.

Attributes of component specification objects

Component Identification Attributes

  • component: Identifies the component name
  • vendor : Identifies the vendor name
  • dependency: Dependency type, it can have these values:
  • self: Identifies the component corresponding to the current implementation
  • runtime: Identifies a runtime dependency, i.e. not distributed
  • package: Identifies a package dependency which is distributed with the current component.
  • builtin: The source code of this component is part of the source code of this component.
  • ignore: Ignore this component. This attribute can be used to mark false positives.
  • alias : Array of strings of alternative names for this component, each string formatted like vendor/component. Example: [‘apache/tomcat’, ‘tomcat/tomcat’]

License Compliance Attributes

  • license : SPDX License Identifier. See SPDX License List
  • license_url : URL of the raw license document for the component, if available.
  • license_text : Base64 encoded text of the license

Security Attributes

  • cpe: CPE Identifier of the component, if known
  • fixed_cves: Array of strings containing the list of CVEs that have been fixed for the component.




“component” : “mycomponent”,

“vendor” : “mycompany”,

“dependency” : “self”,

“license” : “BSD-3-clause”,

“license_url” : “https://raw.example.com/mycompany/mycomponent/LICENSE”



“component” : “tomcat”,

“vendor” : “apache”,

“dependency” : “runtime”,

“license” : “Apache-2.0”,

“license_url” : “https://raw.githubusercontent.com/apache/tomcat/master/LICENSE”


. . .


Ready to facilitate the next wave of Open Source adoption?

Get in touch

Looking for more informations?
Download our OSS whitepaper.