Overview
The SCANOSS Engine is a command-line tool that scans files and directories for open-source component matches by comparing them against the SCANOSS Knowledgebase (KB). Results are printed toSTDOUT in JSON format and include licence, copyright,
and component identification data.
Basic syntax:
TARGET can be a single file, a .wfp fingerprint file, or a directory.
File Matching Logic
The engine attempts to match each scanned file against the KB using the following sequence:- URL match: Does the file exactly match a known package archive at a registered
URL? If so, the identification type (
id) is"url". - File match: Does the file exactly match a known file in the KB? If so, the
identification type (
id) is"file". - Snippet match: If neither of the above applies, the engine performs a snippet
comparison using snippet hashes. The identification type (
id) is"snippet". - Binary match: For binary files, identification is performed via binary
fingerprinting. The identification type (
id) is"binary". - No match: If none of the above apply, the identification type (
id) is"none".
Component Ranking Logic
When a file is present in multiple components or versions in the KB, the engine applies a series of rules to determine the best match:- Component hint: The scanning client can optionally pass a component hint — the name of the most recently detected component — to guide matching. The engine will favour files belonging to a component that matches this hint.
- First component released: If no hint is provided, the engine selects the oldest component in the KB that matches the scanned file.
- Tie-breaking: If two components share the same release date, the engine uses additional available metadata to select the best match.
- SBOM-declared components: When
--sbomis used, the engine prioritises components declared in the supplied SBOM during analysis. If a file cannot be matched against any declared component, the ranking rules above are applied.