When the Dependency Analysis is executed via the OSS Review Toolkit Analyzer (ORT), the Analyzer recursively searches for project files of the supported technologies or languages in the uploaded source code. The project files could be (for example):
package.jsonfor NodeJS projectspom.xmlfor projects using Apache Mavenrequirements.txtorsetup.pyfor Python projects
and so on.
These project files usually specify the dependencies and the Analyzer tries to download the dependencies. For some types of projects, such as NodeJS, it uses an external package manager (npm) to resolve and download the dependency packages. The dependencies are resolved recursively so even dependencies of dependencies are downloaded and analyzed.
For the Analyzer and the package managers used to work correctly, the server where the Dependency Analysis is running needs to be connected to the internet. This is because the dependencies are usually available in the public package repositories.
The data collected by the Analyzer is the raw package metadata, i.e. the metadata provided by the package developer.