SkillAgentSearch skills...

OpossumUI

A light-weight app to audit and inventory large codebases for open source license compliance.

GenerateConvertImprove

Install / Use

/learn @opossum-tool/OpossumUI
About this skill

Quality Score

0/100

Category

Legal

Supported Platforms

Universal

README

<!-- SPDX-FileCopyrightText: Meta Platforms, Inc. and its affiliates SPDX-FileCopyrightText: TNG Technology Consulting GmbH <https://www.tngtech.com> SPDX-License-Identifier: CC0-1.0 -->

logo

License REUSE status GitHub release (latest by date) build workflow build workflow

Introduction

OpossumUI is a tool to

  • explore open-source software components used in applications
  • review open-source licenses contained in codebases
  • generate reports from an open-source code scan

Features

  • combine findings from multiple scanners (open-source and/or proprietary)
  • integration with OSS Review Toolkit, ScanCode and others
  • unified interface for browsing scanner evidence
  • simple navigation through the codebase's file tree
  • create attributions for individual files or groups

screenshots_of_the_ui

Use cases

  • Performing audits for open-source license compliance to detect license conflicts, false positives, or incorrect attributions that need to be remediated
  • Producing legal docs such as bills of materials (SBOM)
  • During merger and acquisition activities, performing blind audits of intellectual property where only compliance-relevant metadata is exposed in the app without the need to ever share the source code

Ecosystem integration

OpossumUI can be used with reports generated by different analysis tools and also supports exporting review results in various different formats.

integration

Getting Started

Opossum files

OpossumUI works on files with the .opossum file extension. These files contain license compliance data of a project which can be visualized and edited through OpossumUI.

For details of the file format, see file formats.

Importing other file formats

The following additional file types can be directly imported from inside OpossumUI:

  • ScanCode JSON files (.json)
  • OWASP Dependency check (.json)
  • more to come

Result files (yaml/json) from the OSS Review Toolkit can be converted into opossum files via a reporter and then imported as described above. The implementation of this reporter can be found in the official OSS Review Toolkit repository.

First steps

Check out our short getting started video:

click to play video

Get the latest release

Download the latest release for your OS from GitHub.

Running the app

Linux

AppImage

Run the executable OpossumUI-for-linux.AppImage.

Note that for ubuntu versions 22.04+ you will run into a sandboxing issue with app images (see this electron github issue for details). This can be circumvented by opening the application with the --no-sandbox flag:

./OpossumUI-for-linux.AppImage --no-sandbox

Alternatively, you can install AppImageLauncher and use it to install the OpossumUI-for-linux.AppImage by double-clicking on it. Then you can open OpossumUI via the start menu of your distribution, or by double-clicking on an .opossum file.

snap

Install the snap file locally using

snap install ./OpossumUI-for-linux.snap --dangerous

Open OpossumUI via the start menu of your distribution (should be in the development category) or by running

opossum-ui

from the command line

MacOS

Run OpossumUI in OpossumUI-for-mac.zip.

Note: As this app is not officially signed, you need to explicitly allow execution of this app via the System Settings.

Windows

Run OpossumUI-for-win.exe to install the OpossumUI. Then open OpossumUI from the start menu.

Working with OpossumUI

Check out our short video, which presents a basic workflow.

For an in-depth explanation, please read the User Guide.

Exports

In addition to the default output file, OpossumUI provides the following export options.

Exporting SPDX documents

An SPDX document can be exported in the json and the yaml format through the ExportSPDX (yaml) and SPDX (json) option in the File menu.

Exporting BOM-like CSV files

These can be exported through the ExportCompact / Detailed component list option in the File menu. Both component list files contain a list of all attributions that are present in the project, including package name, version, copyright, license name and upstream address. In addition, the detailed component list is more comprehensive and includes the PURL and its subcomponents, as well as the license texts.

Exporting follow-up document

This can be exported through the ExportFollow-Up option in the File menu. Similar to the component list, it contains attributions with licenses flagged for legal review through the Follow-Up checkbox in the UI.

Limitations

SPDX License Expressions are only partially supported at the moment. Currently, a license expression can only be entered as license name of a package. The full license text of the different licenses (e.g. GPL-2.0-only OR BSD-2-Clause) that apply should also be entered in the license text field.

Developer's guide

Contributions to the project are welcome. See Contributing.

Licensing

OpossumUI is licensed under Apache-2.0, documentation is licensed under CC0-1.0. For contributions, we use the Developer Certificate of Origin (DCO) process via sign-offs in every commit, to help ensure licensing criteria are met.

opossum-tool

View profile

View on GitHub
GitHub Stars72
CategoryLegal
Updated1d ago
Forks28
opossum-tool/OpossumUI

Languages

TypeScript

Security Score

100/100

Audited on Mar 31, 2026

No findings