engine
by
scanoss

Description: SCANOSS Open Source Inventory Engine

View on GitHub ↗

Summary Information

Updated 12 minutes ago
Added to GitGenius on November 17th, 2025
Created on July 12th, 2020
Open Issues & Pull Requests: 1 (+0)
Number of forks: 20
Total Stargazers: 41 (+0)
Total Subscribers: 5 (+0)

Issue Activity (beta)

Open issues: 0
New in 7 days: 0
Closed in 7 days: 0
Avg open age: N/A days
Stale 30+ days: 0
Stale 90+ days: 0

Recent activity

Opened in 7 days: 0
Closed in 7 days: 0
Comments in 7 days: 0
Events in 7 days: 0

Top labels

No label distribution available yet.

Most active issues this week

No issue events were indexed in the last 7 days.

Repository Insights (GitGenius)

Median issue/PR response: 1.5 hours
Mean response time: 39.6 hours
90th percentile: 3.5 days
Tracked items: 4

Most active contributors

Detailed Description

The SCANOSS Open Source Engine is a command-line tool written in C designed to perform open source software inventory analysis by comparing files and directories against the SCANOSS Knowledge Base. The engine enables developers to identify open source components, detect licenses, and assess vulnerabilities in their codebase from the earliest stages of development, shifting the software bill of materials creation process from a post-development audit to continuous real-time analysis.

The engine operates by matching scanned files through a hierarchical process. It first attempts to match files against entire packages by comparing them to downloaded archives, producing a "url" type identification. If that fails, it matches against known complete files for a "file" type identification. When neither succeeds, the engine performs snippet comparison using snippet hashes to identify partial matches, generating a "snippet" type identification. Files that match none of these criteria receive a "none" type identification. The engine includes a sophisticated file ranking algorithm that uses component hints, release dates, and SBOM ingestion to determine the best match when files appear across multiple components and versions.

Configuration options provide granular control over scanning behavior. Basic settings include processing targets as WFP files, enabling High Precision Snippet Match mode, and adjusting parameters like maximum snippets per file, component limits, and tolerance thresholds. The engine supports SBOM integration in CycloneDX and SPDX 2.2 formats, allowing users to include assets from existing SBOMs or blacklist specific components. Additional features include attribution notice generation, license metadata display, and comprehensive license reporting capabilities.

The engine provides multiple scanning flags that can be toggled to disable or enable specific analysis types including snippet matching, dependencies, licenses, copyrights, vulnerabilities, quality assessment, cryptography analysis, and health layer evaluation. These flags can be set via command-line parameters or configuration files. Environment variables allow customization of the snippet scanning match map size and API endpoint configuration for source file retrieval.

According to GitGenius activity tracking, the repository shows responsive issue and pull request handling with a median response latency of 1.5 hours across tracked items and a mean latency of 39.6 hours. The primary contributor mscasso-scanoss has driven 12 tracked events, with lucasgonze and CharmNight contributing 3 and 2 events respectively. The repository shares overlapping contributors with oss-review-toolkit/ort, kestra-io/kestra, and astral-sh/ruff, indicating integration points within the broader open source tooling ecosystem.

The engine requires the SCANOSS LDB shared library version 4.1.0 or higher and libgcrypt-dev as prerequisites. It outputs results in JSON format to standard output, allowing easy integration into existing development workflows and toolchains. The tool is released under the GPL 2.0 license and represents a developer-focused approach to compliance and supply chain security by embedding open source analysis directly into the development process rather than treating it as a separate compliance step.

engine
by
scanossscanoss/engine

Repository Details

Fetching additional details & charts...