How to obtain the component list export?

[carloreggiani]

For audit purposes, I need to extract all the components with the license group, the license name, and the number of projects using a specific component (unrelated to a specific version).

Is it impossible to obtain the list from the UI, or is it possible to use any "wildcard" symbol?

Thank you for any idea

Carlo

[fupgang]

The UI currently doesn't support exporting such a list, as far as I know.
You can use the API to collect the data in multiple requests to different resources.
Alternatively, if you can access the database use something like this:

SELECT c."GROUP" as "component group", c.NAME as "component name", l.NAME as "license name", lg.NAME AS "license group name", COUNT(c.PROJECT_ID) AS "number of projects" FROM COMPONENT c
LEFT OUTER JOIN LICENSE l ON c.LICENSE_ID = l.ID
LEFT OUTER JOIN LICENSEGROUP_LICENSE lgl ON lgl.LICENSE_ID = l.ID
LEFT OUTER JOIN LICENSEGROUP lg ON lg.ID = lgl.LICENSEGROUP_ID
GROUP BY c."GROUP", c.NAME, c.LICENSE_ID ORDER BY "number of projects" DESC

Keep in mind that a license may be included in multiple groups. The default groups (copyleft, permissive, ...) are disjunctive, though.

Why don't you implement the audit process with dependency-track itself? If you want to identify projects that use components with unwanted licenses, create a policy for that.

[carloreggiani]

My request is to assess a security governance report with these dimensions: - "blueprint" of all the OSS software used in the company - identify the most used (number of projects involved) - the risk score imported into the company by each OSS software/community (unrelated to a specific component version). Any idea? Carlo

…

On Fri, Oct 4, 2024 at 9:56 AM fupgang ***@***.***> wrote: The UI currently doesn't support exporting such a list, as far as I know. You can use the API to collect the data in multiple requests to different resources. Alternatively, if you can access the database use something like this: SELECT c."GROUP" as "component group", c.NAME as "component name", l.NAME as "license name", lg.NAME AS "license group name", COUNT(c.PROJECT_ID) AS "number of projects" FROM COMPONENT c LEFT OUTER JOIN LICENSE l ON c.LICENSE_ID = l.ID LEFT OUTER JOIN LICENSEGROUP_LICENSE lgl ON lgl.LICENSE_ID = l.ID LEFT OUTER JOIN LICENSEGROUP lg ON lg.ID = lgl.LICENSEGROUP_ID GROUP BY c."GROUP", c.NAME, c.LICENSE_ID ORDER BY "number of projects" DESC Keep in mind that a license may be included in multiple groups. The default groups (copyleft, permissive, ...) are disjunctive, though. Why don't you implement the audit process with dependency-track itself? If you want to identify projects that use components with unwanted licenses, create a policy for that. — Reply to this email directly, view it on GitHub <#4212 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHXVHLIZAOJFT2BB3ERQOLZZZC2HAVCNFSM6AAAAABPINT7K6VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAOBUGEZDENA> . You are receiving this because you authored the thread.Message ID: <DependencyTrack/dependency-track/repo-discussions/4212/comments/10841224@ github.com>

-- Carlo Reggiani about.me/reggianicarlo [image: Carlo Reggiani on about.me] <http://about.me/reggianicarlo>