SBOMS for Modern
DevSecOps
SCANOSS is the first affordable, open OSS Inventory & Intelligence platform that was built specifically for modern DevSecOps and supply chains, empowering them to deliver greater license, security, quality and provenance visibility and control for DevSecOps teams and their supply chain partners. By freeing developers to focus on writing great, secure and compliant code that they and their team can completely trust, applications are finished earlier, their quality is consistently higher, and development costs are dramatically lower.
Identifying Declared and Undeclared
OSS Components
SCANOSS generates software bill of materials (SBOMs) that provide comprehensive and accurate information about the open source software (OSS) components used in a software application, including Al-generated code. It does this by analyzing the source code of the application and creating an inventory of all the OSS components used, including declared and undeclared components.
SCANOSS is able to identify both declared and undeclared
OSS components used in the codebase. Declared components are those that are explicitly listed in the source code, while undeclared components are those that are used but not listed in the code. By using advanced techniques such as code fingerprinting and machine learning, SCANOSS can identify these undeclared components, providing a more comprehensive view of the software supply chain and reducing the risk of OSS vulnerabilities going undetected.
Unrivaled OSS Risk Visibility
Open source software (OSS) is an integral part of modern software development, and it's often used to speed up development and reduce costs.
However, OSS can also pose significant risks if not managed properly. That's where OSS intelligence and a 360-degree view of risk come in.
With SCANOSS, DevSecOps teams can gain a comprehensive view of the open source components in use, including their licenses, vulnerabilities, trade compliance and other risks.
By utilizing this intelligence, teams can make informed decisions about their software supply chain, identify potential risks early in the development process, and take action to mitigate them. This approach allows for more secure and compliant software development, reducing the likelihood of costly and damaging security breaches.
Continuous component identification and SBOM
Built specifically for
development teams
Fully configurable and
100% Open Source
Architected for speed
and velocity
Empower developers to confidently produce compliant code, while providing greater license visibility to the team.
No proprietary algorithms, no closed binaries and definitely no corporate source code. Everything is entirely open and available.
‘Start left’ in the development process by performing continuous validations vs. waiting on one final audit at the end.
lines of known OSS code
individual OSS files
Open Source Knowledge Base
(OSSKB)
It's
Big.
known OSS components
3 trillion
1.59 billion
100 billion
SCANOSS boasts the largest Open Source knowledgebase in the market, with 188 million URLs of open source software, 100 billion files, and over 3 trillion lines of code. This extensive database allows for the detection of both declared and undeclared open source components. SCANOSS achieves this impressive feat through its cutting-edge open source mining network, which runs fully unmanned and tracks new software versions and components in real time as they are published.
Open Inventorying Engine
To analyze & compare Open Source Code snippets, filers or Winnowing fingerprints.
Open RestFUL API
Client side applications and middleware can leverage this
API to interact with the
SCANOSS Engine.
Open SBOM
Continuously generate an open Software Bill of Materials. Store your SBOM in SPDX or CycloneDX.
Open Database Engine
A database purpose built for SCA, architected for scale and performance.
​
Open Indexing Algorithm
Using an open algorithm called ‘winnowing’ to detect OSS files, snippets & code.
Open Webhooks & CLI
Trigger secure source code analysis with every git push using webhooks or embed it into your CI/CD pipelines using the CLI.
"Fully Integrated
in your development tools and processes”
-
100% Open architecture allows for easy integrations
-
Native support for most DevOps toolchains
-
Integrate with existing SCA tooling without overlap (e.g. SPDX)
-
Open data architecture allows for comparable results
SCA Tools: Feature Comparison
SBOM Data and Decoration
Feature
SCANOSS
Other OSS
SCA tools
Commercial
SCA tools
Precise IDs
Purl Arrays
Purl
Purl Arrays Vendor and Component
License dectection
Proprietary
Copyright
statements
Attribution
notices
Limited
Limited
Vulnerabilities
Dependencies
Cryptographic Algorithms (ECCN)
Health metrics
No data
No data
Service Quality
Yes. Static Code Analysis data on entire knowledgebase
Code Quality Metrics
Reporting format
SPDX and CycloneDX
SPDX and CycloneDX
Proprietary and SPDX
Binary Analysis
Architecture
Feature
SCANOSS
Other OSS
SCA tools
Commercial
SCA tools
Precise IDs
Purl Arrays
Purl
Purl Arrays Vendor and Component
Tool
transparency
Closed-source
On-premise
deployment
Requires access
API-centric
API/centric
N/A
Partial/limited API functionality
Portable UI
Multiplatform app
Server side
applications
Server side aplications
Command Line
Interface (CLI)
Limited functionality
Air-gap scanning
Limited to 5Gb
Policy Manager
Relles on third-party tools
Built-in
CI/CD
Feature
SCANOSS
Other OSS
SCA tools
Commercial
SCA tools
Precise IDs
Purl Arrays
Purl
Purl Arrays Vendor and Component
Snippet
detection
N/A
Yes, with limitations
Snippet detection
quality
Snippet scanning
openess
OSS Detection
Feature
SCANOSS
Other OSS
SCA tools
Commercial
SCA tools
Precise IDs
Purl Arrays
Purl
Purl Arrays Vendor and Component
Snippet
detection
Limited
Limited
Snippet detection
quality
Limited
Limited
Snippet scanning
openess
Proprietary
Declared Component
Detection
Undeclared component Detection
Limited
Vendor Lock-in
Feature
SCANOSS
Other OSS
SCA tools
Commercial
SCA tools
Precise IDs
Purl Arrays
Purl
Purl Arrays Vendor and Component
Revenue
model
Data Provider
Support
Software Vendor
Open Source
Software
100% Open Source
Proprietary
SBOM / Data
import
From own legacy
File-level identification
export
N/A
Access to free
product offering
Limited