aboutcode-org · tdruez · Sep 12, 2025 · Sep 5, 2025 · Sep 8, 2025 · Sep 8, 2025
diff --git a/scanpipe/api/views.py b/scanpipe/api/views.py
@@ -168,6 +168,8 @@ def results_download(self, request, *args, **kwargs):
             output_file = output.to_cyclonedx(project, **output_kwargs)
         elif format == "attribution":
             output_file = output.to_attribution(project)
+        elif format == "ort":
+            output_file = output.to_ort(project)
         else:
             message = {"status": f"Format {format} not supported."}
             return Response(message, status=status.HTTP_400_BAD_REQUEST)

diff --git a/scanpipe/management/commands/output.py b/scanpipe/management/commands/output.py
@@ -25,7 +25,7 @@
 from scanpipe.management.commands import ProjectCommand
 from scanpipe.pipes import output
 
-SUPPORTED_FORMATS = ["json", "csv", "xlsx", "attribution", "spdx", "cyclonedx"]
+SUPPORTED_FORMATS = ["json", "csv", "xlsx", "attribution", "spdx", "cyclonedx", "ort"]
 
 
 class Command(ProjectCommand):
@@ -84,6 +84,7 @@ def handle_output(self, output_format):
             "spdx": output.to_spdx,
             "cyclonedx": output.to_cyclonedx,
             "attribution": output.to_attribution,
+            "ort": output.to_ort,
         }.get(output_format)
 
         if not output_function:

diff --git a/scanpipe/pipes/ort.py b/scanpipe/pipes/ort.py
@@ -0,0 +1,91 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/aboutcode-org/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/aboutcode-org/scancode.io for support and download.
+
+
+from dataclasses import asdict
+from dataclasses import dataclass
+from dataclasses import field
+from pathlib import Path
+
+import yaml
+
+
+@dataclass
+class SourceArtifact:
+    url: str
+
+
+@dataclass
+class Dependency:
+    id: str
+    purl: str
+    sourceArtifact: SourceArtifact
+    declaredLicenses: list = field(default_factory=list)
+
+
+@dataclass
+class Project:
+    projectName: str
+    dependencies: list[Dependency] = field(default_factory=list)
+
+    @classmethod
+    def from_yaml(cls, yaml_str: str):
+        """Create a Project object from a YAML string."""
+        data = yaml.safe_load(yaml_str)
+        deps = [
+            Dependency(
+                id=dependency["id"],
+                purl=dependency["purl"],
+                sourceArtifact=SourceArtifact(**dependency["sourceArtifact"]),
+                declaredLicenses=dependency.get("declaredLicenses", []),
+            )
+            for dependency in data.get("dependencies", [])
+        ]
+        return cls(projectName=data["projectName"], dependencies=deps)
+
+    @classmethod
+    def from_file(cls, filepath: str | Path):
+        """Create a Project object by loading a YAML file."""
+        return cls.from_yaml(Path(filepath).read_text(encoding="utf-8"))
+
+    def to_yaml(self) -> str:
+        """Dump the Project object back to a YAML string."""
+        return yaml.safe_dump(asdict(self), sort_keys=False, allow_unicode=True)
+
+
+def to_ort(project):
+    dependencies = []
+    for package in project.discoveredpackages.all():
+        dependency = Dependency(
+            id=f"{package.type}::{package.name}:{package.version}",
+            purl=package.purl,
+            sourceArtifact=SourceArtifact(url=package.download_url),
+            declaredLicenses=[package.get_declared_license_expression_spdx()],
+        )
+        dependencies.append(dependency)
+
+    project = Project(
+        projectName=project.name,
+        dependencies=dependencies,
+    )
+
+    return project.to_yaml()
diff --git a/scanpipe/pipes/output.py b/scanpipe/pipes/output.py
@@ -60,6 +60,7 @@
 from scanpipe.models import ProjectMessage
 from scanpipe.pipes import docker
 from scanpipe.pipes import flag
+from scanpipe.pipes import ort
 from scanpipe.pipes import spdx
 
 scanpipe_app = apps.get_app_config("scanpipe")
@@ -1058,10 +1059,23 @@ def to_attribution(project):
     return output_file
 
 
+def to_ort(project):
+    """
+    Generate a ORT compatible "package-list.yml" output.
+    The output file is created in the ``project`` "output/" directory.
+    Return the path of the generated output file.
+    """
+    output_file = project.get_output_file_path("results", "package-list.yml")
+    ort_yml = ort.to_ort(project)
+    output_file.write_text(ort_yml)
+    return output_file
+
+
 FORMAT_TO_FUNCTION_MAPPING = {
     "json": to_json,
     "xlsx": to_xlsx,
     "spdx": to_spdx,
     "cyclonedx": to_cyclonedx,
     "attribution": to_attribution,
+    "ort": to_ort,
 }
diff --git a/scanpipe/templates/scanpipe/dropdowns/project_download_dropdown.html b/scanpipe/templates/scanpipe/dropdowns/project_download_dropdown.html
@@ -31,6 +31,9 @@
       <a href="{% url 'project_results' project.slug 'attribution' %}" class="dropdown-item">
         <strong>Attribution</strong>
       </a>
+      <a href="{% url 'project_results' project.slug 'ort' %}" class="dropdown-item">
+        <strong>ORT (package-list)</strong>
+      </a>
     </div>
   </div>
 </div>
diff --git a/scanpipe/templates/scanpipe/includes/project_downloads.html b/scanpipe/templates/scanpipe/includes/project_downloads.html
@@ -36,5 +36,8 @@
     <a class="tag is-success is-medium" href="{% url 'project_results' project.slug 'attribution' %}">
       <span class="icon mr-1"><i class="fa-solid fa-download"></i></span>Attribution
     </a>
+    <a class="tag is-success is-medium" href="{% url 'project_results' project.slug 'ort' %}">
+      <span class="icon mr-1"><i class="fa-solid fa-download"></i></span>ORT
+    </a>
   </div>
 </article>
diff --git a/scanpipe/views.py b/scanpipe/views.py
@@ -1630,6 +1630,8 @@ def get(self, request, *args, **kwargs):
             output_file = output.to_cyclonedx(project, **output_kwargs)
         elif format == "attribution":
             output_file = output.to_attribution(project)
+        elif format == "ort":
+            output_file = output.to_ort(project)
         else:
             raise Http404("Format not supported.")