sschuberth
commented
3 years ago ScanOSS now seems to build up a public database of fingerprints for Open Source Software, see https://osskb.org/osskb.html.
Closed sschuberth closed 2 years ago
sschuberth
commented
3 years ago ScanOSS now seems to build up a public database of fingerprints for Open Source Software, see https://osskb.org/osskb.html.
sschuberth
commented
3 years ago Also see https://api.scanoss.com/doc.
sschuberth
commented
2 years ago Quoting @scanossjs from the oss-based-compliance-tooling mailing list:
SCANOSS provides file-level detection of cryptographic algorithms as input for Export Control. This is an example of a scan result from OpenSSL (removed key sections to highlight the relevant part):
"/crypto/crmf/crmf_local.h": [
{
"id": "file",
"lines": "all",
"oss_lines": "all",
"matched": "100%",
"vendor": "sailfishos-mirror",
"component": "openssl",
"version": "openssl-3.0.0-alpha10",
[…],
"cryptography": [
{
"algorithm": "SHA1",
"strength": "128"
}
],
"elapsed": "0.000427s"
}
],So this makes a ScanOSS implementation relevant for #2879, too.
ScanOSS seems to be the first snippet scanner that's available as Open Source. While the engine indeed is Open Source, the knowledge data base is not (selling subscriptions for it is their business model) and needs to be built up via their mining tool.
It would be interesting to integrate the miner / scanner into ORT to built up the database "on the go" with usual ScanCode scans, and also make use of the ScanOSS scanner once the built up database contains significant data.