I was on the hunt for a tool that could give me a clear picture of my system’s SBOM (software bill of materials). I wanted to check license info and see which parts are used in all my microservices. That’s when I stumbled upon Qodana, which has a feature called SCA (Software Component Analysis). In this post, I’ll share my thoughts on this tool.
I requested a trial account on https://qodana.cloud/ so I could test out all the features. Then I looked over public repositories for the technologies I usually work with. This resulted in the following table.
| Language | Repository | # lines(1) |
|---|---|---|
| GO | https://github.com/jackc/pgx | 91K |
| Javascript/Typescript | https://github.com/ngxs/store | 100K |
| Java | https://github.com/liquibase/liquibase-hibernate | 7K |
| C# | https://github.com/FluentValidation/FluentValidation | 32K |
- (1) - To get number of lines, I used the command inside clone directory
git ls-files | xargs wc -l
Getting started
To begin, you’ll need to create a project. Once you’ve done that, you’ll need to run qodana. For simplicity, I chose qodana CLI for simplicity. Here’s a visual guide that shows all the steps involved in executing the analysis.
Under the hoods, qodana executes the analysis in Docker containers. On my personal MacBook, I had to install Docker Desktop because it doesn’t work with Rancher Desktop. I also noticed that Docker images are quite large (starting from 4GB), as shown below.
Analysis overview
After analyzing the data, you can check the problems in the first tab. One cool feature is that you can mark problems you won’t solve in the short term and move them to the baseline.
The gadget that gives an overview of the problems is visually appealing, but it’s not very user-friendly because:
You have to click in several dropdowns, which makes it hard to drill down on the problems because you have to keep clicking. On the other hand, the dropdowns allow you to make multiple selections.
The text orientation is set to around the gadget circle, which makes it hard to read.
You can also configure which code inspection rules will be enabled or not.
The final tab shows the license audit results, which is the main reason I wanted to test this tool. You can easily navigate through the dependency tree.
You can also download the SBOM license list in different formats, including CSV. This can be useful so you do not have create a SBOM gathering for every language in your projects. Although, it lacks to provide dependency type or package manager (like npm or Nuget) because some packages have the same name but come from different repositories (for instance, azure sdks for python and java).
Tested languages
Out of the languages I tested, the only major issue I encountered was that is not possible to provide license audit for the NGXS repository (a yarn-based project). Even though the official documentation states that yarn is supported, this was the only sticking point so far.
Top comments (0)