Tool name: scancode-toolkit

[AyanSinhaMahapatra]

homepage_url

https://github.com/aboutcode-org/scancode-toolkit

contact_email

[email protected], [email protected]

code_view_url

https://github.com/aboutcode-org/scancode-toolkit

spdx_license_expression

apache-2.0 AND cc-by-4.0 AND other-permissive AND other-copyleft

description

scancode-toolkit is a CLI tool and library to detect licenses, copyrights, packages and dependencies by scanning code, to discover and inventory open source and third-party packages used in your code.

primary_languages

Python

short_term_roadmap

1. Finish up the work done to tag scancode license rules with required phrases massively and automatically, to reduce false positives. Also improve the license detection algorithm using these required phrases. Update rules with required phrases automatically scancode-toolkit#3924
2. Publish smaller (and seperate) wheels to enable much faster releases and bugfixes Improve packaging #3459 scancode-toolkit#3761
3. Support python 3.13 Slow index creation on Python 3.13 under some circumstances scancode-toolkit#3921
4. fast-scan: identify and apply performance improvements fast-scan: Apply performance improvements scancode-toolkit#4071

long_term_roadmap

See https://github.com/aboutcode-org/scancode-toolkit/blob/develop/ROADMAP-ABOUTCODE.rst#sctk-scancode-toolkit for a more detailed roadmap of scancode-toolkit.

proprietary_data

• Yes, the tool depends on proprietary data sources

commercial_features

• Yes, the tool has a commercial version with different/additional features

capabilities

• Identifiers - Use Package-URL (PURL) identifiers
• Identifiers - Use SPDX license expressions
• Scanning - Analyze package manifests and lockfiles
• Scanning - Analyze package files
• Scanning - Scan for copyright
• Scanning - Scan for license
• Scanning - Analyze source code
• Scanning - Analyze containers
• Scanning - Analyze installed system packages (linux distros)
• Scanning - Analyze installed application packages
• Scanning - Other analysis
• Packages - Inventory packages
• Packages - Inventory packages dependencies
• Packages - Resolve dependencies
• Packages - Navigate or display dependency graph
• Compliance - Generate CycloneDX SBOMs
• Compliance - Generate SPDX SBOMs
• Compliance - Validate CycloneDX SBOM
• Compliance - Validate SPDX SBOMs
• Compliance - Generate CycloneDX VEX
• Compliance - Generate CSAF VEX
• Compliance - Generate OpenVex
• Compliance - Generate other compliance documents
• Policies - Define and check license policies
• Policies - Define and check security policies
• Policies - Define and check other policies
• Data - Database of Package metadata
• Data - Database of Package dependency relationships
• Data - Database of License obligations
• Data - Database of Licenses
• Data - Database of Vulnerabilities
• License - Help triage license issues
• License - Generate license credit and attribution notices
• License - Generate source code redistribution lists
• Vulnerabilities - Detect vulnerable code in packages
• Vulnerabilities - Find known vulnerabilities for package
• Vulnerabilities - Determine reachable vulnerabilities
• Vulnerabilities - Help triage vulnerabilities
• Binaries - Analyze binaries
• Binaries - Analyze ELF binaries
• Binaries - Analyze Windows binaries
• Binaries - Analyze firmware binaries
• Binaries - Analyze Other binaries
• Matching - Match source code
• Matching - Match binary code
• Tracing - Trace code execution
• Tracing - Trace build
• Code Security - Analyze code statically (SAST/linting)
• Code Security - Analyze code dynamically (DAST)
• Download - Source package
• Download - Source repositories
• Download - Binary package
• Deployment - Deployable as containers (Docker/OCI/k8s/etc)
• Deployment - Deployable in CI/CD pipelines
• Deployment - Deployable as a library
• Run - Run as a command line tool
• Run - Run as a web application
• Run - Run as an API service

other_capabilities

No response