Package management analysis in the OSS Review Toolkit
10-27, 18:00–18:05 (Europe/Berlin), Main stage

Analyzing the dependencies as declared by package managers is the first step towards creating SBOMs or to query known vulnerabilities for software projects. This talk gives an overview over the abstractions done in the OSS Review Toolkit to support more than 25 package managers and the challenges in modelling their different behaviors and resolution processes.


The OSS Review Toolkit (ORT) started more than 6 years ago as a tool to abstract away package manager details in order to automate Open Source license compliance checks based on license obligations of dependencies. By then ORT has grown into an OpenChain reference tool to fulfill all kinds of compliance checks, including security vulnerability checks, InnerSource checks, and creation of disclosure documents. ORT's package manager analyzer is in several ways unique in its features and level of correctness. For example, the package manager configuration does not need to be changed (e. g. by applying plugins) for the ORT analyzer to work. Also, some interesting technology approaches are being taken in order to support package managers from different ecosystems written in different programming languages.

Sebastian Schuberth is an Open Source enthusiast and automation freak. He has more than 20 years of experience with professional software development and DevOps topics, and recurrently contributes to Open Source projects like the Gradle package manager, Package URL, or SPDX.