======================================= Documentation for scanoss-py ======================================= Introduction ============ In order to complete a Software Composition Analysis of your project, you will need to scan the fingerprints of the source code against a knowledge base (for example, the `Open Source Software Knowledge Base `_). Notice we mention fingerprints, and not the source code itself. Keeping the privacy of your information is the most important rule we follow, and what makes us different than our competitors. In order to achieve this, the SCANOSS Platform calculates file and snippet fingerprints (32-bit identifiers calculated with the `winnowing algorithm `_). The fingerprints of each file or snippet are then sent to the `SCANOSS API `_, that means you are scanning against the knowledge base and not the other way around. One way to query the SCANOSS Platform is through our Python package: `scanoss-py `_. .. note:: All of SCANOSS software is open source and free to use, explore our `GitHub Organization page `_. You can contribute to this tool, for more information check the `contribution guidelines `_ for this project. Features ======== * The package can be run from the command line, or consumed from another Python script * Scan your source code fingerprints against a knowledge base * Dependency detection * Decoration services for cryptographic algorithm, vulnerabilities, semgrep issues/findings and component version detection * Generate an SBOM (software bill of materials) in SPDX-Lite and CycloneDX Installation ============ To install (from `pypi.org `_), run: ``pip3 install scanoss``. ------------ Requirements ------------ Python 3.9 or higher. The dependencies can be found in the `requirements.txt `_ and `requirements-dev.txt `_ files. To install dependencies run: ``pip3 install -r requirements.txt`` and ``pip3 install requirements-dev.txt``. To enable dependency scanning, an extra tool is required: scancode-toolkit. To install it run: ``pip3 install -r requirements-scancode.txt`` .. include:: scanoss_settings_schema.rst Commands and arguments ====================== ------------------ Scanning: scan, sc ------------------ Scans a directory or file (source code or ``.wfp`` fingerprint file) and shows results on the STDOUT, by default. This command is highly customizable, from the output format to the matching selection logic using an SBOM file, everything can be set to your preference. .. code-block:: bash scanoss-py scan .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --wfp , -w - Allows to scan a wfp (winnowing fingerprint) file instead of a directory * - --dep , -p - Use a dependency file instead of a directory * - --identify , -i - Scan and identify components in SBOM file (an API key is required for this feature) * - --ignore , -n - Ignore components specified in the IGNORE SBOM file (an API key is required for this feature) * - --format , -f - Indicates the result output format: {plain, cyclonedx, spdxlite, csv} (optional - default plain) * - --flags , -F - Sends scanning flags (or definitions) * - --threads , -T - Number of threads to use while scanning (optional - default 10 - max 30) * - --skip-snippets, -S - Skip the generation of snippets * - --post-size , -P - Number of kilobytes to limit the post to while scanning (optional - default 64) * - --timeout , -M - Timeout (in seconds) for API communication (optional - default 120) * - --all folders - Scan all folders * - --all-extensions - Scan all file extensions * - --all-hidden - Scan all hidden file/folders * - --obfuscate - Obfuscate fingerprints * - --dependencies, -D - Add dependency scanning * - --dependencies-only - Run dependency scanning only * - --sc-command - Scancode command and path if required (optional - default scancode) * - --sc-timeout - Timeout (in seconds) for Scancode to complete (optional - default 600) * - --apiurl - SCANOSS API base URL (optional - default https://api.osskb.org) * - --ignore-cert-errors - Ignore certificate errors * - --key , -k - SCANOSS API Key token (optional - not required for default API_URL) * - --proxy - Proxy URL to use for connections, can also use the environment variable ``HTTPS_PROXY`` (optional) * - --pac - Proxy auto configuration (optional). * - --ca-cert - Alternative certificate PEM file, can also use the environment variables ``REQUEST_CA_BUNDLE`` and ``GRPC_DEFAULT_SSL_ROOTS_FILE_PATH`` (optional) ------------------------------------------- Generate fingerprints: fingerprint, fp, wfp ------------------------------------------- Calculates hashes for a directory or file and shows them on the STDOUT. .. code-block:: bash scanoss-py fingerprint .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --output , -o - Output result file name (optional - default STDOUT) * - --obfuscate - Obfuscate fingerprints * - --skip-snippets, -S - Skip the generation of snippets * - --all-extensions - Fingerprint all file extensions * - --all-folders - Fingerprint all folders * - --all-hidden - Fingerprint all hidden files/folders ----------------------------------------- Detect dependencies: dependencies, dp, dep ----------------------------------------- Scan source code for dependencies, but do not decorate them. .. code-block:: bash scanoss-py dependencies <> .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --output , -o - Output result file name (optional - default STDOUT) * - --container - Analyze dependencies from a Docker container image instead of a directory * - --sc-command SC_COMMAND - Scancode command and path if required (optional - default scancode) * - --sc-timeout SC_TIMEOUT - Timeout (in seconds) for scancode to complete (optional - default 600) .. note:: Remember that in order to enable dependency scanning, an extra tool is required: **scancode-toolkit**. To install it, run: ``pip3 install -r requirements-scancode.txt``. -------------------------- File count: file_count, fc -------------------------- Search the source tree and produce a file type summary. .. code-block:: bash scanoss-py file_count .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --output , -o - Output result file name (optional - default STDOUT) * - --all-hidden - Scan all hidden files/directories ----------------------------------------- Format conversion: convert, cv, cnv, cvrt ----------------------------------------- Convert file format to plain, SPDX-Lite, CycloneDX or csv. .. code-block:: bash scanoss-py convert -i --format -o .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - -input , -i - Input file name. * - --output , -o - Output result file name (optional - default STDOUT) * - --format , -f - Indicates the result output format: {plain, cyclonedx, spdxlite, csv}. (optional - default plain) -------------------------------- Folder Scanning: folder-scan, fs -------------------------------- Performs a comprehensive scan of a directory using folder hashing to identify components and their matches. .. code-block:: bash scanoss-py folder-scan .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --output , -o - Output result file name (optional - default STDOUT) * - --format , -f - Output format: {json, cyclonedx} (optional - default json) * - --timeout , -M - Timeout in seconds for API communication (optional - default 600) * - --rank-threshold - Filter results to only show those with rank value at or below this threshold (e.g., --rank-threshold 3 returns results with rank 1, 2, or 3). Lower rank values indicate higher quality matches. * - --settings , -st - Settings file to use for scanning (optional - default scanoss.json) * - --skip-settings-file, -stf - Skip default settings file (scanoss.json) if it exists * - --key , -k - SCANOSS API Key token (optional - not required for default OSSKB URL) * - --apiurl - SCANOSS API base URL (optional - default https://api.osskb.org) * - --proxy - Proxy URL to use for connections * - --pac - Proxy auto configuration. Specify a file, http url or "auto" * - --ca-cert - Alternative certificate PEM file -------------------------------- Folder Hashing: folder-hash, fh -------------------------------- Generates cryptographic hashes for files in a given directory and its subdirectories. .. code-block:: bash scanoss-py folder-hash .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --output , -o - Output result file name (optional - default STDOUT) * - --format , -f - Output format: {json} (optional - default json) * - --settings , -st - Settings file to use for scanning (optional - default scanoss.json) * - --skip-settings-file, -stf - Skip default settings file (scanoss.json) if it exists Both commands also support these general options: * --debug, -d: Enable debug messages * --trace, -t: Enable trace messages * --quiet, -q: Enable quiet mode ------------------------------------ Container Scanning: container-scan, cs ------------------------------------ Scans Docker container images for dependencies, extracting and analyzing components within containerized applications. .. code-block:: bash scanoss-py container-scan -i .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --image , -i - Docker image name and tag to scan (required) * - --output , -o - Output result file name (optional - default STDOUT) * - --include-base-image - Include base image dependencies in the scan results * - --format , -f - Output format: {json} (optional - default json) * - --timeout , -M - Timeout in seconds for API communication (optional - default 600) * - --key , -k - SCANOSS API Key token (optional - not required for default OSSKB URL) * - --proxy - Proxy URL to use for connections * - --ca-cert - Alternative certificate PEM file ----------------- Crypto: crypto, cr ----------------- Provides subcommands to retrieve cryptographic information for components. .. code-block:: bash scanoss-py crypto Subcommands: ~~~~~~~~~~~~ **algorithms (alg)** Retrieve cryptographic algorithms for the given components. .. code-block:: bash scanoss-py crypto algorithms --purl .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --with-range - Returns the list of versions in the specified range that contains cryptographic algorithms. (Replaces the previous --range option) **hints** Retrieve encryption hints for the given components. .. code-block:: bash scanoss-py crypto hints --purl .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --with-range - Returns the list of versions in the specified range that contains encryption hints. **versions-in-range (vr)** Given a list of PURLs and version ranges, get a list of versions that do/don't contain crypto algorithms. .. code-block:: bash scanoss-py crypto versions-in-range --purl Common Crypto Arguments: ~~~~~~~~~~~~~~~~~~~~~~~~ The following arguments are common to the ``algorithms``, ``hints``, and ``versions-in-range`` subcommands: .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - --purl , -p - Package URL (PURL) to process. Can be specified multiple times. * - --input , -i - Input file name containing PURLs. * - --output , -o - Output result file name (optional - default STDOUT). * - --timeout , -M - Timeout (in seconds) for API communication (optional - default 600). * - --key , -k - SCANOSS API Key token (optional - not required for default OSSKB URL). * - --ca-cert - Alternative certificate PEM file. * - --debug, -d - Enable debug messages. * - --trace, -t - Enable trace messages, including API posts. * - --quiet, -q - Enable quiet mode. ----------------- Component: ----------------- To be done ------------------------ Utilities: utilities, ut ------------------------ .. code-block:: bash scanoss-py utilities .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - fast - SCANOSS fast winnowing (requires the `SCANOSS Winnowing Python Package `_) * - certloc, cl - Display the location of Python CA certificates * - cert-download, cdl, cert-dl - Download the specified server's SSL PEM certificate * - pac-proxy, pac - Use Proxy Auto-Config to determine proxy configuration ----------------- General Arguments ----------------- .. list-table:: :widths: 20 30 :header-rows: 1 * - Argument - Description * - -debug, -d - Enable debug messages * - --trace, -t - Enable trace messages, including API posts * - --quiet, -q - Enable quiet mode Package consumption ==================== This package can be run from the command line, or consumed from another Python script. A good example of how to consume it can be found in this `file `_. In general the easiest way is to import the required module as follows: .. code-block:: python from scanoss.scanner import Scanner def main(): scanner = Scanner() scanner.scan_folder( '.' ) if __name__ == "__main__": main() Alternatively, there is a docker image of the compiled package, which can be found in this `repository `_. Details on how to run it can be found in this `file `_. Integrations ============ At SCANOSS we want to provide **easy recipes for practical solutions**, that is the reason we are constantly working on building integrations for our software. No need to adapt your existing systems to work with our software, we will adapt our software to your needs. From CI/CD integrations with `Jenkins `_ and `GitHub Actions `_, to our `SonarQube plugin `_ and our most recent `VSCode extension `_. We are always working on making our software as easy to access, consume and integrate as possible. The full list of existing integrations is down below: .. list-table:: :widths: 20 30 :header-rows: 1 * - Integration - Description * - `Jenkins `_ - Integrate scanoss-py into your pipelines * - `GitHub Actions `_ - Enhance your software development process with the SCANOSS Code Scan Action * - `SonarQube `_ - Scan your code with the SCANOSS plugin for SonarQube * - `Visual Studio Code `_ - Software Composition Analysis as you code Best practices ============== | ---------------------------------------------------------------------- *Choose the tool based on your use case, and not the other way around* ---------------------------------------------------------------------- SCANOSS offers many tools and software in the field of Software Composition Analysis, and many have similar features. For example, you can perform scans and generate software bill of materials (SBOM) with scanoss-py and the `SBOM Workbench `_, but that doesn't mean these tools are interchangeable. The SBOM Workbench's GUI can be an advantage for auditors and such, but may be a complication for developers that need to integrate an SCA solution into an existing workflow. There is also the case for language preferences, we also offer a `Javascript package `_ and a `Java SDK `_ so you have freedom to consume the SCANOSS API however you want. | ------------------------------- *Get the most accurate results* ------------------------------- License ======= The Scanoss Open Source scanoss-py package is released under the MIT license. .. toctree:: :maxdepth: 2 :hidden: :caption: Links SCANOSS Website GitHub Software transparency foundation