Open-source Software Watchlist — SCA Platform
Track CVE vulnerabilities and license risks across all your software components.
English | 한국어
OsWL (Open-source Software Watchlist) is an in-house SCA (Software Composition Analysis) platform that tracks and manages security vulnerabilities (CVEs) and license risks in OSS dependencies.
It provides a single dashboard for your entire software portfolio — connect your Git repositories for automatic import, or push scan results via the CLI, then immediately see CVSS-ranked vulnerability lists, license compliance status, risk trends over time, and AI-generated insights.
| Feature | Description |
|---|---|
| Security Center | Full CVE list with CVSS scores, severity ranking, and status management (Open / Suppressed / False Positive) |
| License Analysis | SPDX license detection per dependency with policy enforcement (Permitted / Caution / Restricted) |
| Risk Trend | Historical risk charts across up to 10 scans showing CVE count and license posture changes |
| Version Diff | Side-by-side comparison of two scan results — added, removed, and changed dependencies |
| Quick Import | One-click import from GitHub / GitLab / Bitbucket via VCS connection |
| CLI Integration | Language-agnostic scan submission via REST API with project-scoped API keys |
| AI Insights | Optional LLM-generated risk summaries for CVE posture and license compliance |
| Role-Based Access | Role templates (Admin / Developer / Viewer) plus per-project membership |
| Audit Logging | Immutable audit log for all user and system events, with CSV export |
| 2FA / Trusted Devices | Email OTP two-factor authentication with per-browser trusted-device support |
| Tool | Version |
|---|---|
| JDK | 25+ |
| Gradle Wrapper | included (./gradlew) |
| PostgreSQL | 15+ (production) |
| (Optional) Docker | for running PostgreSQL locally |
git clone https://github.com/SalkCoding/Oswl.git
cd Oswl./gradlew bootRun
# Application starts on http://localhost:8080The local profile is active by default. It uses an embedded H2 database (./oswl-db.mv.db) — no external database required.
On first run the Setup Wizard opens automatically at http://localhost:8080/setup.
Complete it to create the first System Admin account.
export SPRING_PROFILES_ACTIVE=prod
export DB_URL=jdbc:postgresql://localhost:5432/oswl
export DB_USERNAME=oswl
export DB_PASSWORD=your_password
export OSWL_ENCRYPTION_KEY=$(openssl rand -base64 32)
./gradlew bootRun# Full build (compiles Java + Tailwind CSS)
./gradlew build
# Production JAR check (local-only test endpoints must not be packaged)
./gradlew verifyProdJar
# Rebuild Tailwind CSS only
./gradlew buildTailwindCss
# Run tests
./gradlew test
# Test coverage report → build/reports/jacoco/test/html/index.html
./gradlew jacocoTestReportNote: The first build downloads the Tailwind CSS standalone CLI binary (~7 MB) to
build/tools/. Subsequent builds use the cached binary.
All settings are controlled via environment variables or application.yaml profiles.
| Variable | Default | Description |
|---|---|---|
SPRING_PROFILES_ACTIVE |
local |
Active profile: local or prod |
OSWL_ENCRYPTION_KEY |
(local dev only) | Encryption key for stored secrets (VCS tokens). Required in prod — app will not start without it. Generate with openssl rand -base64 32 |
DB_URL |
jdbc:postgresql://localhost:5432/oswl |
PostgreSQL JDBC URL (prod profile) |
DB_USERNAME |
oswl |
Database user (prod profile) |
DB_PASSWORD |
oswl |
Database password (prod profile) |
OSWL_CLONE_TEMP_DIR |
system temp | Directory for temporary git clones during Quick Import |
OSWL_GITHUB_API_BASE |
https://api.github.com |
GitHub API base URL (override for GHES) |
OSWL_RISK_TREND_LIMIT |
10 |
Maximum scans shown in the risk trend chart |
OSWL_AUDIT_MAX_PAGE_SIZE |
200 |
Maximum records per page in audit log API |
OSWL_AUDIT_RETENTION_MONTHS |
6 |
Months before audit log records are auto-deleted |
URL: http://localhost:8080/h2-console
JDBC: jdbc:h2:file:./oswl-db
User: sa
Pass: (empty)
The local profile starts an embedded GreenMail SMTP server. No real email is sent.
OTP codes appear in the server log:
*** OTP CODE: 123456 ***
After logging in, call:
GET http://localhost:8080/data/test
This resets all existing data and populates the database with a rich set of sample projects, scans, CVEs, and licenses.
Browser / CLI
│
▼
Spring MVC Controllers (thin — delegates to Service)
│
▼
Service Layer (business logic, transactions)
│
┌─┴──────────────────┐
▼ ▼
JPA Repositories External Clients
(PostgreSQL / H2) (OSV · deps.dev · VCS APIs)
Core domain model:
Project
└── ProjectVersion (per branch)
└── ScanResult (per CLI / Quick Import scan)
└── ScanComponent
└── DependencyPath
Library (shared across projects — group:artifact@version)
└── Cve
└── LicensePolicyEntry
Interactive Swagger UI is available in the local profile at http://localhost:8080/swagger-ui.html. It is disabled in prod.
Full documentation is available in the docs/ folder and on the GitHub Wiki (auto-synced from docs/ on push to main). Korean docs live in docs/ko/.
| Page | Description |
|---|---|
| Home | Platform overview and navigation guide |
| Getting Started | Installation, setup wizard, first project |
| User Guide | Day-to-day usage of the dashboard |
| Quick Import | Importing projects from GitHub / GitLab / Bitbucket |
| CLI Integration | Submitting scans from build pipelines |
| Security Center | Managing vulnerabilities (CVEs) |
| License Analysis | License compliance and policy management |
| Risk Trend | Interpreting historical risk charts |
| Version Diff | Comparing two scan results |
| Administration | Users, roles, audit logs, security settings |
| Authorization layers | Role templates vs project membership |
| Production deployment | Production checklist |
| Database schema | ddl-auto strategy and SQL migrations |
| Scan API security | CLI scan auth and audit logging |
| API Reference | REST API endpoint summary |
| Glossary | Terms and definitions |
OsWL is developed and maintained by SalkCoding.
| Author | Role | GitHub |
|---|---|---|
| SalkCoding | Project lead & primary maintainer | @SalkCoding |
| Tengball | Design & UI/UX | @Tengball |
Questions, feedback, or collaboration inquiries are welcome via GitHub Issues.
This project is licensed under the MIT License.