New API Endpoints

The VersionEye API is heavily used! In the mean white the VersionEye API is serving more HTTP requests then the web application. That’s why made it even more awesome 🙂

New SwaggerUI

For almost 2 years we didn’t update the swaggerUI, shame on us! The old swaggerUI was a bit buggy. Many times it did not submit input fields to the API, that was specially the case if there was another input field with the same name, higher up on the page. That and many other small issues are solved now with the newest swaggerUI. Beside that the new swaggerUI shows for every request the corresponding CURL command, which is super awesome because that way you can run the commands directly in the command line.

screen-shot-2017-02-03-at-10-39-19

/sessions/login

We added a new API Endpoint for sessions/login. Now you can send your user/email and password via HTTP POST to this Endpoint and you will receive back your user object with your user API key. With the user API key you can then use other Endpoints of the API.

screen-shot-2017-02-03-at-10-42-24

That is especially useful if you want to build a login screen for a mobile App like iOS or Android 😉

/organisations

We added a whole bunch of new Endpoints just for the organisation object.

screen-shot-2017-02-03-at-09-53-52

With “/organisations” you get back a list of all organisations where you are in the Owners team. The response includes the organisation API key as well.

screen-shot-2017-02-03-at-10-51-24

/organisations/orga_name/teams

With this Endpoint you get back a list of all the teams in the organisation and some basic information about team members …

screen-shot-2017-02-03-at-10-54-17

… and projects which are assigned to the team.

screen-shot-2017-02-03-at-10-54-43

/organisations/orga_name/projects

With this Endpoint you get back a list of all projects of the organisation. The list contains basic information about the projects. The more detailed information about projects please use the “/projects” Endpoint.

screen-shot-2017-02-03-at-10-58-36

/organisations/orga_name/inventory

This Endpoint returns the dependency inventory of the organisation. That is a list of all used dependencies overall projects in the organisation.

screen-shot-2017-02-03-at-11-03-37

More information about the data structure can be found here and here is another blog post about the inventory feature.

Leave a comment here if you have questions to this new API Endpoints or if you need another one 😉

 

CSV Export for OS Inventory

VersionEye monitors your projects and notifies you about out-dated dependencies, security vulnerabilities and license violations. There are many ways to create a VersionEye project and to keep it in sync with the dependencies from the daily software development. As VersionEye knows all the dependencies from all your projects it can easily display you the inventory list of all your dependencies over all your projects, in real time. You find that  inventory link in your organisation on the left side.

screen-shot-2017-02-03-at-08-21-35

That way you know exactly which and how many open source dependencies you are using and you can see immediately the licenses. Beside that the list shows you which OS dependency & version you are using in which of your projects. In the screenshot above I can see for example that the Java dependency “com.rabbitmq:amqp-client” is used in 2 of my Java projects, in the “maven-indexer” and the “versioneye-maven-crawler” project. In both projects the dependency is used in the newest version. Good for me 🙂

By default you get a complete list of ALL your dependencies overall your projects. But as you can see, there are some filters above the list which can be used to filter down the list by teams, language, version and some other criteria. Maybe you only want to see the inventory of a specific team or maybe you are only interested in the PHP inventory list of your company.

This inventory list exist already since a couple months is used heavily by Enterprise clients. If you scroll down the list you will see a CSV export link. That’s new!

screen-shot-2017-02-03-at-08-22-44

Now you can export that inventory list as CSV file. Here is an example how it looks like.

Screen Shot 2017-02-03 at 08.20.58.png

The first part of this CSV export shows exactly which dependency is used in which version, what would be the newest version, the license of the used version, the number of their known security vulnerabilities and the VersionEye project ID there this dependency is used in.

screen-shot-2017-02-03-at-08-34-04

The second part of the export shows some details about your projects where the dependency is used in, like the VersionEye project ID, project name, your project version (if available) and in case it’s a Maven project the export is showing the GroupdID & ArtifactID.

screen-shot-2017-02-03-at-08-34-18

The inventory list with all the filters is also available as API Endpoint.

screen-shot-2017-02-03-at-08-39-11

That way you can fetch the data as JSON as well and create your custom Inventory report. You could use this API Endpoint to create a custom inventory PDF report. Check out the VersionEye API.

By the way. Everything on VersionEye.com is 100% open source. The source code is on GitHub and pullrequests are welcome 😉

Read Only API Key

The VersionEye API is serving every week several Million HTTP requests and there are many plugins and AddOns out there using the VersionEye API. At the beginning only users could have an API key but in the mean while we have API keys which are attached to an organisation at VersionEye. With an organisation API key all CRUD operations inside that corresponding organisation can be performed. Some people requested an read only API key for organisations. And here it is!

screen-shot-2017-02-01-at-15-26-56

Now every organisation at VersionEye has 2 API keys. 1 “normal” one which is valid for write and delete operations and a read only one which will NOT work for HTTP POST and HTTP DELETE operations.

That way you can give somebody access to all your projects in your organisation without allowing them to change something.

Let us know how you like this feature. If you wann give feedback leave a comment here.

Simplified component whitelist

With VersionEye you can ensure a license policy by assigning a license whitelist to your project. Beside that there is a feature called component whitelist, with that you can whitelist certain components for your project. That makes totally sense for dependencies which are for example unknown to VersionEye. Another use case would be if the dependency has an unknown license, in that case you could also put the dependency on the component whitelist.

The component whitelist is a list of “LANGUAGE:PROD_KEY:VERSION” values. Until now you had to know which value you have to put on your component whitelist. For many people it was confusing. Now we simplified that. In the project view in the license tab beside each dependency which is unknown or violates the license whitelist you will find a “+” icon. But clicking on it the dependency from that row will be added to the component whitelist:

screen-shot-2017-01-31-at-16-35-11

The “+” icon only shows up if are an Admin or an Owner of the organisation AND a component whitelist is assigned to the project.

That should make your life much easier 😉

Improved license recognition

VersionEye is monitoring now more than 1.2 Million open source projects and collecting all kind of meta information to this projects. One kind of the meta information is the corresponding license. Currently the VersionEye database contains licenses to more than 8 Million artefacts.

However, sometimes the maintainers of a project didn’t provide the license information that way that it’s easy to read and recognise for machines. That is specially the case for Python and the .NET platform. Take for example the gpkit Python library. In the license field they provided the full license text, not just the license name.

python-gpkit-00

That doesn’t match very well with the license whitelist in VersionEye 😉 That’s why we improved it now!

All together we have 11335 Python licenses like that in our database and they belong to 1989 unique projects on PIP. Our new license crawler could match 9933 licenses to SPDX identifiers. That are 1799 unique projects on PIP we could assign a SPDX identifier to, which didn’t had one before. For more than 90% of this projects we could recognise and identify an SPDX identifier. And now the same library on VersionEye looks like that:

python-gpkit-01

You see clear that it’s MIT license and now this works well together with our license whitelist 🙂

In Nuget, the package manager for the .NET platform, many license names look like this.

csharp-00.png

“Nuget unknown”. That is the case if the maintainers provided a license link but didn’t provide a license name. Our new license crawler is now following this links and with machine learning it tries to identify a known license. If the similarity to a known license text is higher that 90% we assign the corresponding SPDX identifier to the software library in our database. And now the same package looks like this and you can see immediately that it’s the MIT license!

csharp-01.png

That also helps to use these packages together with our license whitelist. For the .NET packages our recognition system was not quiet as good as for Python. For .NET we could only identify 65% of the licenses of packages with a link but without a license name. Stil not bad and much better than before 😉

This are just the first results. Of course this is also work in progress and the recognition will become better in future.

Your feedback is very welcome.

Suggest new licenses

VersionEye is monitoring now more than 1.2 Million open source projects and collecting all kind of meta information to this projects. One kind of the meta information is the corresponding license. Currently the VersionEye database contains licenses to more than 8 Million artefacts.

However, it is not always possible to fetch the license automatically. Sometimes things go wrong and sometimes the license is not available through a repository API. Sometimes human interaction is required to find the license for an artefact. Now everybody from the VersionEye community can suggest a license to an artefact. If you are on a VersionEye product page with an unknown license you will see a new “Suggest a license” link now.

screen-shot-2017-01-18-at-19-59-14

By clicking on the link you will come to a new page where you can suggest a license for the corresponding artefact and the form is already pre filled for you.

screen-shot-2017-01-18-at-20-01-36

By submitting the form above the VersionEye team will receive an email notification with the new license suggestion. After the submission was reviewed and approved the license will show up on the page.

I hope that many of you will use this new feature! 🙂

New icons for visibility scope and private projects

Up to now it was not obvious which VersionEye project is a “private” project. That means a project from a private GitHub or Bitbucket repository. Projects created through the VersionEye API are also considered as private projects. To monitor private projects you need to have a paid subscription. To make the private projects more visible we marked them with a lock icon in the project overview table!

Screen Shot 2017-01-12 at 14.38.59.png

In the example above the first 2 projects are private projects, they are created through the public VersionEye API and that’s why they are marked with the lock icon.

Don’t confuse “private” projects with the visibility scope. By default every project is publicly visible to everybody who knows the project URL. That makes sharing information very easy. But don’t worry your projects are NOT part of the search index, that means it will not pop up in search results! In the project settings you can limit the visibility scope to collaborators only.

Screen Shot 2017-01-12 at 14.26.58.png

That means that your project is only visible to members of your organisation. So if somebody knows the project URL and he/she is not member of your organisation he/she will not be able to see the project report! The projects which have limited their visibility are marked in the project overview with an broken eye, like the last 2 projects in the first image.