{"id":48939964,"url":"https://github.com/scanoss/engine","last_synced_at":"2026-04-17T13:11:52.696Z","repository":{"id":37798897,"uuid":"279111723","full_name":"scanoss/engine","owner":"scanoss","description":"SCANOSS Open Source Inventory Engine","archived":false,"fork":false,"pushed_at":"2026-04-09T12:53:30.000Z","size":2268,"stargazers_count":41,"open_issues_count":2,"forks_count":20,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-04-09T14:34:45.805Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scanoss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-07-12T17:13:55.000Z","updated_at":"2026-03-31T18:32:38.000Z","dependencies_parsed_at":"2024-02-26T01:47:23.990Z","dependency_job_id":"22d01e03-fbc2-4534-a1fe-0d1d9bf69276","html_url":"https://github.com/scanoss/engine","commit_stats":null,"previous_names":[],"tags_count":91,"template":false,"template_full_name":null,"purl":"pkg:github/scanoss/engine","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fengine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fengine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fengine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fengine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scanoss","download_url":"https://codeload.github.com/scanoss/engine/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fengine/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31930255,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-17T12:37:54.787Z","status":"ssl_error","status_checked_at":"2026-04-17T12:37:25.095Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-17T13:11:51.820Z","updated_at":"2026-04-17T13:11:52.689Z","avatar_url":"https://github.com/scanoss.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SCANOSS Open Source Engine\n\nTHE FIRST OPEN SOURCE ENGINE BUILT FOR DEVELOPERS\n\nSCANOSS is an open, configurable OSS engine that was built specifically for developers, empowering them to confidently produce compliant code from the moment they begin writing, while delivering greater license and usage visibility for the broader DevOps team and supply chain partners.\n\nWith its open architecture that is easy to integrate into existing processes and toolchains, SCANOSS transforms software bill of materials (SBOM) creation from ‘write now, audit later’ to an always-on analysis of live code.\n\nBy freeing developers to focus on writing great, compliant code that they and their team can completely trust, applications are finished earlier, quality is consistently higher, and development costs are dramatically lower.\n\n# Setup \nThe Scanoss engine requires a Knowledge database installed for retrieving results. Scanoss use the SCANOSS LDB (Linked-list database) as a shared library. LDB Source code and installation guide can be found on https://github.com/scanoss/ldb\nThe knowledge database is incrementally built using the SCANOSS mining tool (minr). It source code and installation guide can be found on https://github.com/scanoss/minr\n\n# Prerequisites\n- LDB shared library. Installation instructions: [https://github.com/scanoss/ldb/README.md](https://github.com/scanoss/ldb/blob/master/README.md). Minimum version 4.1.0.\n- libgcrypt-dev\n# Installation\n\nThe SCANOSS Engine is a command-line tool used for comparing a file or directory against the SCANOSS Knowledgebase. The source code can be downloaded and compiled as follows:\n\n```\nwget -O engine.zip https://github.com/scanoss/engine/archive/master.zip\nunzip engine.zip\ncd engine-master\nmake\nsudo make install\ncd ..\nscanoss -v\n```\n\nIf you want to try scanoss without install it, the execute this command in bash:\n```\nexport LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH\n```\n\nThe last command should show the installed version of the SCANOSS Engine.\n\n# Usage\n\nThis program performs an OSS inventory for the given TARGET comparing against the ScanOSS LDB Knowledgebase. Results are printed in STDOUT in JSON format.\nYou can create your own knowledgebase with the minr command, available at https://github.com/scanoss/minr\n\nSyntax: scanoss [parameters] [TARGET]\n\n## Configuration Options\n\n### Basic Configuration\n* `-w, --wfp` - Process TARGET as a .wfp file, regardless of its actual extension\n* `-H, --hpsm` - Enable High Precision Snippet Match mode (requires 'libhpsm.so' in the system)\n* `-M, --max-snippets NUM` - Search for up to NUM different components in each file (maximum: 9)\n* `-N, --max-components NUM` - Set maximum number of components (default: 5)\n* `-T, --tolerance NUM` - Set snippet scanning tolerance percentage (default: 0.1)\n* `-r, --rank NUM` - Set maximum component rank accepted (default: 11)\n* `--max-files NUM` - Set maximum number of files to fetch during matching (default: 12000)\n* `--min-match-hits NUM` - Set minimum snippet ID hits for a match (default: 3, disables auto-adjust)\n* `--min-match-lines NUM` - Set minimum matched lines for a range (default: 10, disables auto-adjust)\n* `--range-tolerance NUM` - Set max non-matched lines tolerated in a range (default: 5)\n* `--ignore-file-ext` - Ignore file extension during snippet matching (default: honor extension)\n\n### SBOM and Filtering\n* `-s, --sbom FILE` - Include assets from a JSON SBOM file (CycloneDX/SPDX2.2 format) in identification\n* `-b, --blacklist FILE` - Exclude matches from assets listed in JSON SBOM file (CycloneDX/SPDX2.2 format)\n* `--force-snippet` - Same as \"-b\" but with forced snippet scanning\n* `-c, --component HINT` - Add a component HINT to guide scan results\n\n### Attribution and Licenses\n* `-a, --attribution FILE` - Show attribution notices for the provided SBOM.json file\n* `-k, --key KEY` - Show contents of the specified KEY file from MZ sources archive\n* `-l, --license LICENSE` - Display OSADL metadata for the given SPDX license ID\n* `-L, --full-license` - Enable full license report\n* `-F, --flags FLAGS` - Set engine scanning flags (see Engine Flags section below)\n\n### General Options\n* `-t, --test` - Run engine performance tests\n* `-v, --version` - Show version information and exit\n* `-n, --name NAME` - Set database name (default: oss)\n* `-h, --help` - Display help information and exit\n* `-d, --debug` - Store debugging information to disk (/tmp)\n* `-q, --quiet` - Suppress JSON output (show only debugging info via STDERR)\n\n## Environment Variables\n\n* `SCANOSS_MATCHMAP_MAX` - Set the snippet scanning match map size (default: 10000)\n* `SCANOSS_FILE_CONTENTS_URL` - Define the API URL endpoint for sources. Source URL won't be reported if not defined\n\n## Engine Scanning Flags\n\nConfigure the scanning engine using flags with the `-F/--flags` parameter. These settings can also be specified in `/etc/scanoss_flags.cfg`\n\n| Flag  | Setting                                               |\n|-------|-------------------------------------------------------|\n|    1  | Disable snippet matching (default: enabled)           |\n|    2  | Enable snippet_ids (default: disabled)                |\n|    4  | Disable dependencies (default: enabled)               |\n|    8  | Disable licenses (default: enabled)                   |\n|   16  | Disable copyrights (default: enabled)                 |\n|   32  | Disable vulnerabilities (default: enabled)            |\n|   64  | Disable quality (default: enabled)                    |\n|  128  | Disable cryptography (default: enabled)               |\n|  256  | Disable best match only (default: enabled)            |\n|  512  | Hide identified files (default: disabled)             |\n| 1024  | Enable download_url (default: disabled)               |\n| 2048  | Enable \"use path hint\" logic (default: disabled)      |\n| 4096  | Disable extended server stats (default: enabled)      |\n| 8192  | Disable health layer (default: enabled)               |\n| 16384 | Enable high accuracy, slower scan (default: disabled) |\n\n### Examples:\n```bash\n# Scan DIRECTORY without license and dependency data\nscanoss -F 12 DIRECTORY\nscanoss --flags 12 DIRECTORY\n\n# Scan TARGET including SBOM assets\nscanoss --sbom my_sbom.json TARGET\n\n# Scan with custom snippet matching parameters\nscanoss --min-match-hits 5 --min-match-lines 15 TARGET\n\n# Scan with custom range tolerance\nscanoss --range-tolerance 10 TARGET\n\n# Ignore file extensions during matching\nscanoss --ignore-file-ext TARGET\n```\n\n# File matching logic\n\nThe scanning engine attempts to match files with the following criteria:\n\n## Is the file matching an entire package (matching directly the archive downloaded from the URL)?\n\nThis produces an identifycation (id) of type \"url\"\n\n## Otherwise, is the file matching an entire known file?\n\nThis produces an identification (id) of type \"file\"\n\n## Otherwise, snippet comparison is executed comparing snippet hashes\n\nThis produces an identification (id) of type \"snippet\"\n\n## If none of the above,\n\nThis produces an identification (id) of type \"none\"\n\n# File ranking algorithm\n\nOften, the SCANOSS engine finds files that are present in different components and versions, which triggers a series of functions to determine the best match. These functions are detailed below:\n\n## Component hint retrieval\n\nThe scanning client can optionally pass a a component hint (context). The context is the name of the last component detected. This context will influence results and the scanning engine will favour the files belonging to a component matching the provided context.\n\n## First component released\n\nIf no hint is provided, the SCANOSS engine will look for the oldest component in the KB which matches the scanned file. In case of a tie between two components with the same release date, other available information will be used to select the best match.\n\n## SBOM Ingestion\n\nThe user can use the \"-s'' optional argument plus a sbom.json. The engine will prioritize the declared components during the analysis. If a file can not be matched against any declared component, then the logic previously explained will be applied.\n\n# License\n\nThe Scanoss Open Source Engine is released under the GPL 2.0 license. Please check the LICENSE file for more information.\n\nCopyright (C) 2018-2020 SCANOSS.COM\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscanoss%2Fengine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscanoss%2Fengine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscanoss%2Fengine/lists"}