Scanning Vulnerabilities and Licenses

Finding out which licenses a given project uses can sometimes come required in the project lifecycle, for example when a web site is being made public and if it just happens, that there is a 3rd party dependency using a license such as AGPL-3.0-only, which then requires to:

You must disclose your source code when you distribute, publish or serve (i.e. through a web portal) modified or derivative software.

In addition to just getting a list of licenses, it is as crusial to find out if there are any known security vulnerabilities in any of those 3rd party dependencies or in their dependencies.

There are several services that do this kind of scanning. Some are free if the project in question is open sourced, but might only provide some parts of their full service.

While the license scanning in npm projects is somewhat trivial, checking for the license property in package.json, and if not existing, perhaps checking for LICENSE file or some other further intelligense, the bigger issue is, which vulnerability database is being used for checking the known security issues? In case they would all just simply use and contribute to one, everyone would win. This is business after all, so no.

What kind of services there are available today, that provide free open source usage? Links take to their pricing page.

The above three integrate pretty nicely with GitHub, and the last one specifically, WhiteSource is the one used by GitHub itself to assess the security on a repository.

In addition to the services, there are other options, such as installing few tools locally, Most notably the AboutCode project, which includes scancode-toolkit, that can be installed:

pip install scancode-toolkit

In case there are issues when installing in macOS, the environment variables shown here might help, for example:

export ICU_VERSION=64
export PYICU_INCLUDES=/usr/local/Cellar/icu4c/64.2/include
export PYICU_LFLAGS=-L/usr/local/Cellar/icu4c/64.2/lib
export PYICU_CFLAGS=-std=c++11

Once installed, run in the project directory which should be scanned:

scancode --package --license --copyright --url --info --email --license-diag \
 --max-in-memory 1000 --processes 0 . --json results.json

The AboutCode project contains another tool called scancode-workbench which is a Electron based frontend for viewing the results from the scancode-toolkit. This tool should be downloaded, extracted, and then executed to see the user interface where the results.json file can be imported and the results can be inspected. This will create a SQLite database which can be used later on if needed.

Further reading could be about The OpenChain Project.