Metadata-Version: 2.1
Name: ossindex-lib
Version: 1.1.2
Summary: A library for querying the OSS Index free catalogue of open source components to help developers identify vulnerabilities, understand risk, and keep their software safe.
Home-page: https://github.com/sonatype-nexus-community/ossindex-python
License: Apache-2.0
Keywords: SCA,OWASP
Author: Paul Horton
Author-email: phorton@sonatype.com
Maintainer: Paul Horton
Maintainer-email: phorton@sonatype.com
Requires-Python: >=3.6.2,<4.0.0
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Legal Industry
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Topic :: Security
Classifier: Topic :: Software Development
Classifier: Topic :: System :: Software Distribution
Classifier: Typing :: Typed
Requires-Dist: PyYAML (>=5.4.1,<7.0.0)
Requires-Dist: importlib-metadata (>=3.4); python_version < "3.8"
Requires-Dist: packageurl-python (>=0.9.0,<0.10.0)
Requires-Dist: requests (>=2.20.0,<3.0.0)
Requires-Dist: tinydb (>=4.5.0,<5.0.0)
Requires-Dist: types-PyYAML (>=5.4.1,<6.0.0)
Requires-Dist: types-requests (>=2.25.1,<3.0.0)
Requires-Dist: types-setuptools (>=57.0.0)
Project-URL: Bug Tracker, https://github.com/sonatype-nexus-community/ossindex-python/issues
Project-URL: Repository, https://github.com/sonatype-nexus-community/ossindex-python
Description-Content-Type: text/markdown

<!--

    Copyright 2022-Present Sonatype Inc.

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

-->

# Python Library for quering OSS Index

> ℹ️ As of May 2026, this community project has been [archived](https://contribute.sonatype.com/docs/project-classification/).
> 
> See also this [announcement](https://www.sonatype.com/blog/the-evolution-of-oss-index-in-the-age-of-ai) concerning OSS 
> Index being subsumed into [Sonatype Guide](https://guide.sonatype.com). 
>
> There are better alternatives today:
> - Guide API Clients: https://github.com/sonatype-nexus-community/sonatype-guide-api-client
>
> 🚧 This community project will receive no further updates or maintenance.

![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/sonatype-nexus-community/ossindex-python/ci.yml?branch=main)
![Python Version Support](https://img.shields.io/badge/python-3.6+-blue)
![PyPI Version](https://img.shields.io/pypi/v/ossindex-lib?label=PyPI&logo=pypi)
[![Documentation](https://readthedocs.org/projects/ossindex-library/badge/?version=latest)](https://readthedocs.org/projects/ossindex-library)
[![GitHub license](https://img.shields.io/github/license/sonatype-nexus-community/ossindex-python)](https://github.com/sonatype-nexus-community/ossindex-python/blob/main/LICENSE)
[![GitHub issues](https://img.shields.io/github/issues/sonatype-nexus-community/ossindex-python)](https://github.com/sonatype-nexus-community/ossindex-python/issues)
[![GitHub forks](https://img.shields.io/github/forks/sonatype-nexus-community/ossindex-python)](https://github.com/sonatype-nexus-community/ossindex-python/network)
[![GitHub stars](https://img.shields.io/github/stars/sonatype-nexus-community/ossindex-python)](https://github.com/sonatype-nexus-community/ossindex-python/stargazers)

----

This OSSIndex module for Python provides a common interface to querying the [OSS Index](https://ossindex.sonatype.org/).

This module is not designed for standalone use. If you're looking for a tool that can detect your application's dependencies
and assess them for vulnerabilities against the OSS Index, perhaps you should check out 
[Jake](https://github.com/sonatype-nexus-community/jake).

You can of course use this library in your own applications.

## Installation

Install from pypi.org as you would any other Python module:

```
pip install ossindex-lib
```

## Usage

First create an instance of `OssIndex`, optionally enabling local caching
```
o = OssIndex()
```

Then supply a `List` of [PackageURL](https://github.com/package-url/packageurl-python) objects that you want to ask
OSS Index about. If you don't want to care about generating this list yourself, perhaps look to a tool like [Jake](https://github.com/sonatype-nexus-community/jake)
(which uses this library) and will do all the hard work for you!

As a quick test, you could run:
```
from ossindex.ossindex import OssIndex, PackageURL
from ossindex.model import OssIndexComponent, Vulnerability

o = OssIndex()
results: List[OssIndexComponent] = o.get_component_report(packages=[
    PackageURL.from_string(purl='pkg:pypi/pip@23.1.2')
])
for r in results:
    print("{}: {} known vulnerabilities".format(r.coordinates, len(r.vulnerabilities)))
    v: Vulnerability
    for v in r.vulnerabilities:
        print('    - {}'.format(str(v)))
```

... which would output something like ...
```
pkg:pypi/pip@23.1.2: 1 known vulnerabilities
    - <Vulnerability id=CVE-2018-20225, name=CVE-2018-20225, cvss_score=7.8>
```

## Logging

This library send log events to a standard Python `logger` named `ossindex`. You can configure the logger to output as
required through the standard [Python logging configuration](https://docs.python.org/3/library/logging.config.html).

## Todos

1. Support authentication against OSS Index

## Python Support

We endeavour to support all functionality for all [current actively supported Python versions](https://www.python.org/downloads/).
However, some features may not be possible/present in older Python versions due to their lack of support.

## Changelog

See our [CHANGELOG](./CHANGELOG.md).

## The Fine Print

Remember:

It is worth noting that this is **NOT SUPPORTED** by Sonatype, and is a contribution of ours to the open source
community (read: you!)

* Use this contribution at the risk tolerance that you have
* Do NOT file Sonatype support tickets related to `ossindex-lib`
* DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all - have fun!

