Documentation Index
Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt
Use this file to discover all available pages before exploring further.
Product Context Dependency is a powerful feature that allows you to enforce fine-grained control over component usage within your codebase. Instead of simply tracking which components exist, you can define rules about where they should (and shouldn’t) be used.
Prerequisites
Ensure scanoss-py is installed:
For enhanced performance with fast winnowing:
pip3 install scanoss[fast_winnowing]
Getting Started
Initial Discovery Scan
Run a comprehensive scan to discover all components in your project:
scanoss-py scan -D -o results.json /path/to/folder
-D or --dependencies: Enable dependency detection-o results.json: Output file for scan results/path/to/folder: Scan the specified folder. You can use . to scan the current directory.
The first scan should be run without a scanoss.json file to discover all components in your project.
Identify Undeclared Components
Inspect the scan results to find components not yet declared in your configuration:
scanoss-py inspect undeclared -i results.json
{
"bom": {
"include": [
{
"purl": "pkg:github/scanoss/engine"
},
{
"purl": "pkg:github/scanoss/scanoss.py"
}
]
}
}
Create scanoss.json Configuration
Create a scanoss.json file in the same directory you’re scanning to declare approved components:
{
"self": {
"name": "scanoss-project",
"version": "1.0.0",
"license": "GPL-2.0-only",
"description": "Project using SCANOSS engine and Python SDK"
},
"bom": {
"include": [
{
"purl": "pkg:github/scanoss/engine",
"comment": "Approved: Core SCANOSS engine used for software composition analysis"
},
{
"purl": "pkg:github/scanoss/scanoss.py",
"comment": "Approved: Python client library for SCANOSS API"
}
]
}
}
Rescan with Configuration
Apply your configuration by rescanning with the settings file:
scanoss-py scan -D --settings scanoss.json -o results.json /path/to/folder
Validate Compliance
After scanning with your configuration, verify that all components are properly declared:
scanoss-py inspect undeclared -i results.json
0 undeclared component(s) were found.
scanoss.json.
Advanced Context Rules
Path-Specific Restrictions
Restrict components to specific directories in your project:
{
"bom": {
"include": [
{
"purl": "pkg:github/scanoss/engine@5.0.0",
"path": "src/",
"comment": "Engine core allowed in source directory only"
},
{
"purl": "pkg:github/scanoss/scanoss.py@v1.3.6",
"path": "src/",
"comment": "Python SDK for scanning operations in source"
}
]
}
}
Version Upgrade Management
Enforce version upgrades or library replacements:
{
"bom": {
"replace": [
{
"purl": "pkg:github/scanoss/engine@5.0.0",
"replace_with": "pkg:github/scanoss/engine@5.0.2",
"path": "src/",
"license": "GPL-2.0-only",
"comment": "Upgrade to latest engine version (5.0.2 available)"
},
{
"purl": "pkg:github/scanoss/scanoss.py@v1.3.6",
"replace_with": "pkg:github/scanoss/scanoss.py@v1.4.0",
"path": "src/",
"license": "MIT",
"comment": "Upgrade Python SDK for latest features and security fixes"
}
]
}
}
License Compliance Configuration
Based on the mixed licenses detected in your scan:
{
"self": {
"name": "scanoss-project",
"version": "1.0.0",
"license": "GPL-2.0-only",
"description": "Project using SCANOSS components with GPL-2.0 compatibility"
},
"bom": {
"include": [
{
"purl": "pkg:github/scanoss/engine@5.0.0",
"path": "src/copyright.c",
"license": "GPL-2.0-only",
"comment": "Approved: Engine component - GPL-2.0 copyleft license"
},
{
"purl": "pkg:github/scanoss/scanoss.py@v1.3.6",
"path": "src/scanner_test.py",
"license": "MIT",
"comment": "Approved: Python SDK - MIT license (permissive)"
}
]
}
}
scanoss.json files: SCANOSS Settings Documentation
