nexB/aboutcode nexB/aboutcode

  • Stars
    star
    153
  • Rank 243,368 (Top 5 %)
  • Language Batchfile
  • Created about 8 years ago
  • Updated 8 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
nexB/aboutcode
github

nexB

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

AboutCode project: tools and data to uncover things about code: the provenance, origin, license, and more (packages, security, quality, etc.) of FOSS code

AboutCode

What is AboutCode?

AboutCode is a family of FOSS projects to uncover data ... about software:

  • where does the code come from? which software package?
  • what is its license? copyright?
  • is the code vulnerable, maintained, well coded?
  • what are its dependencies, are there vulneribilities/licensing issues?

All these are questions that are important to answer: there are millions of free and open source software components available on the web for reuse.

Knowing where a software package comes from, what its license is and whether it is vulnerable should be a problem of the past such that everyone can safely consume more free and open source software. We support not only open source software, but also open data, generated and curated by our applications.

NOTE: This is a repository with information on aboutcode open source activities and not the actual code repository. See the projects section below for links to all the code repositories of our projects with a brief overview and our wiki if you are looking to participate.

Documentation Build Status

Doc Build

Important Links

Our homepage is at http://aboutcode.org

Our documentation (in progress) is at https://aboutcode.readthedocs.io/en/latest/

Join the chat online at app.gitter.im : aboutcode-org#discuss or if you're using the element app set the homeserver to gitter.im and then join the aboutcode-org#discuss chatroom. Introduce yourself and start the discussion!

Look at our wiki for information about our participation in the GSoC and GSoD programs.

We have a weekly meeting, see more details here.

Projects

Each AboutCode project has its own repository:

  • ScanCode Toolkit: a set of code scanning tools to detect the origin and license of code and dependencies. ScanCode now uses a plug-in architecture to run a series of scan-related tools in one process flow. This is the most popular project and is used by 100's of software teams . The lead maintainer is @pombredanne

  • Scancode.io: is a web-based and API to run and review scans in rich scripted pipelines, on different kinds of containers, docker images, package archives, manifests etc, to get information on licenses, copyrights, source, vulneribilities. The lead maintainer is @tdruez

  • VulnerableCode: is a web-based API and database to collect and track all the known software package vulnerabilities, with affected and fixed packages, references and a standalone tool Vulntotal to compare this vulneribility information across similar tools. This is maintained by @tg1999 and @pombredanne

  • univers is a package to parse and compare all the package versions and all the ranges.

  • purlDB consists of tools to create and expose a database of purls (Package URLs) and also has package data for all of these packages created from scans. This is maintained by @jyang

  • FetchCode is a library to reliably fetch any code via HTTP, FTP and version control systems such as git.

  • Scancode Workbench: a desktop application based on typescript and react to visualize and review scan results from scancode scans.

  • AboutCode Toolkit: a set of command line tools to document the provenance of your code and generate attribution notices. AboutCode Toolkit uses small yaml files to document code provenance inside a codebase. The lead maintainer is @chinyeungli

  • container-inspector: a tool to analyze the structure and provenance of software components in Docker images using static analysis. Maintained by @pombredanne

  • python-inspector and nuget inspector inspects manifests and code to resolve dependencies (vulnerable and non-vulnerable) for python and nuget packages respectively.

  • license-expression: a library to parse, analyze, compare and normalize SPDX and SPDX-like license expressions using a boolean logic expression engine. See https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60 to understand what an expression is. See https://github.com/nexB/license-expression for the code. The underlying boolean engine is live at https://github.com/bastikr/boolean.py . Both are co-maintained by @pombredanne

  • ABCD aka AboutCode Data: a simple set of conventions to define data structures that all the AboutCode tools can understand and use to exchange data. The details are at AboutCode Data. ABOUT files and ScanCode Toolkit data are examples of this approach. Other projects such as https://libraries.io and and OSS Review Toolkit are also using these conventions.

  • TraceCode Toolkit: a set of tools to trace files from your deployment or distribution packages back to their origin in a development codebase or repository. The primary tool uses strace https://github.com/strace/strace/ to trace system calls on Linux and construct a build graph from syscalls to show which files are used to build a binary. We are contributors to strace. Maintained by @pombredanne

We also co-started and worked closely with other FOSS orgs and projects:

  • Package URL: a widely used standard to reference software packages of all types with simple, readable and concise URLs.

  • SPDX: aka. Software Package Data Exchange, a spec to document the origin and licensing of packages.

  • CycloneDX aka. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction

  • ClearlyDefined: a project to review and help FOSS projects improve their licensing and documentation clarity. This project is incubating with https://opensource.org

More Repositories

1

scancode-toolkit

πŸ” ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
Python
2,033
star
2

vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
Python
510
star
3

scancode-workbench

πŸ“Š ScanCode Workbench is a desktop app to review and conclude license and origin from code scans generated by ScanCode Toolkit.
TypeScript
145
star
4

scancode.io

ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
Python
94
star
5

aboutcode-toolkit

βœ… AboutCode Toolkit provides a simple way to document provenance metadata (origin and license) about third-party code that you use in your project: it includes utilities to generate inventory/BOM or Attribution documentation.
Python
90
star
6

license-expression

Utility library to parse, normalize and compare License expressions for Python using a boolean logic engine. For expressions using SPDX or any other license id scheme.
Python
54
star
7

extractcode

A mostly universal file extraction library and CLI tool to extract almost any archive in a reasonably safe way on Linux, macOS and Windows.
Python
31
star
8

container-inspector

container-inspector is a suite of analysis utilities and command line tools for Docker container images, their layers and how these relate to each other. It can also handle OCI images and Dockerfiles.
Python
30
star
9

python-publicsuffix2

A small Python library to deal with publicsuffix data (includes a bundled PSL as "package data") in a wheel friendly format. Fork and continuation of TomaΕΎ Ε olc's "publicsuffix"
Python
29
star
10

purldb

Tools to create and expose a database of purls (Package URLs). This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ and nexB for https://www.aboutcode.org/ Chat is at https://gitter.im/aboutcode-org/discuss
HTML
29
star
11

scancode-licensedb

A free and open database of all the licenses, in particular all the open source software licenses
Makefile
27
star
12

univers

Parse and compare all the package versions and all the ranges. From debian, npm, pypi, ruby and more. Process all the version range specs and expressions. This project is sponsored by an NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and others generous sponsors!
Python
27
star
13

tracecode-toolkit-strace

Trace software components, packages and files between Development/Source and Deployment/Distribution/Binaries codebases - strace build analysis
Python
25
star
14

python-inspector

Inspect Python code and PyPI package manifests. Resolve Python dependencies.
Python
20
star
15

deltacode

DeltaCode: compare two codebase scans (from ScanCode) to detect significant changes.
Python
19
star
16

scancode-server

This project is no longer maintained. Visit https://github.com/nexB/scancode.io/ instead for similar and current project
Python
19
star
17

dejacode

Automate open source license compliance and ensure software supply chain integrity
Python
18
star
18

pip-requirements-parser

a mostly correct pip requirements parsing library
Python
16
star
19

debian-inspector

A python library to parse Debian deb822-style control and copyright files and all related Debian, Ubuntu and Debian-derivative manifest and metadata files, an alternative approach to python-debian.
Python
13
star
20

cwe2

Common weakness enumeration library for Python (maintained fork of https://github.com/Julian-Nash/cwe )
Python
11
star
21

saneyaml

Cleaner, simpler, safer and saner YAML parsing/serialization in Python, for YAML meant to be readable first, on top of PyYAML
Python
9
star
22

fetchcode

A library to reliably fetch code via HTTP, FTP and version control systems. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
HTML
9
star
23

skeleton

Python
8
star
24

typecode

Python
7
star
25

clearcode-toolkit

ClearCode is a simple tool to fetch and sync all ClearlyDefined data locally.
Python
7
star
26

scancode-analyzer

scancode-results-analyzer
Python
4
star
27

scancode-thirdparty-src

Source code for ScanCode prebuilt dependencies
HTML
4
star
28

nuget-inspector

Inspect and resolve .NET and NuGet package dependencies like dotnet and nuget do. Fetch manifests data. Runs on Linux, Windows and macOS as a standalone application.
C#
4
star
29

purldb-data

A dataset of purl for offline lookup and verification usage. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ and nexB for https://www.aboutcode.org/ Chat is at https://gitter.im/aboutcode-org/discuss
4
star
30

scancode-action

Run ScanCode.io pipelines from your Workflows
4
star
31

commoncode

Python
3
star
32

pkginfo2

Git mirror of http://bazaar.launchpad.net/~tseaver/pkginfo ... with modifications
Python
3
star
33

pygmars

Craft simple regex-based small language lexers and parsers. Build parsers from grammars and accept Pygments lexers as an input. Derived from NLTK.
Python
3
star
34

turbo-spdx

Fast and lightweight Python library for parsing and writing SPDX JSON documents correctly.
Python
2
star
35

scancode-plugins

A set of plugins either delivered as builtin scancode-toolkit or extra plugins
HTML
2
star
36

scancode-toolkit-contrib

Candidate additions and contribution for the ScanCode toolkit
C
2
star
37

dependency-inspector

A general purpose, mostly universal software package dependency resolver.
Go
2
star
38

scancode-toolkit-plugin-cookiecutter

Python
1
star
39

plugincode

Python
1
star
40

jvm-inspector

[WIP] jvm-inspector is a set of tools and utility functions to inspect JVM byte code and source code
Python
1
star
41

sanexml

Python
1
star
42

federatedcode

Python
1
star
43

dejacode-toolkit

[Work in progress] An API client and toolkit with libraries, utilities and helpers to work with the DejaCode API
1
star
44

go-inspector

[WIP] An inspector for Go language-based source, binaries, packages, dependencies and metadata
Python
1
star
45

scancode.io-pipeline-glc_scan

Python
1
star
46

scancode-toolkit-reference-scans

scancode-toolkit-reference-scans
HTML
1
star
47

heritedcode

A software heritage API client
Python
1
star
48

vulnerablecode-data

1
star
49

aboutcode-cyclonedx-taxonomy

AboutCode CycloneDX Property Taxonomy
1
star
50

spdx-licenses

A mirror of http://spdx.org licenses
1
star
51

matchcode-toolkit

Python
1
star
52

attributecode

[Archived] This project was an Attribution generation tool with many content and format options for the input data. All its features have been folded back in the latest AboutCode Toolkit at https://github.com/nexB/aboutcode-toolkit
Python
1
star