Welcome to AboutCode!

AboutCode is a community of open source developers making open source easier to use by building open source tools for Software Composition Analysis (SCA). AboutCode is also the collective name for these SCA tools to discover, identify and track open source components. We maintain many open source projects on GitHub including applications like ScanCode.io, tools like ScanCode Toolkit and container-inspector and emerging standards like package-url. Members of the AboutCode community are active participants in Google Summer of Code, SPDX and other open source groups. We welcome new contributors for any of our projects. You can find us on Gitter anytime.

ScanCode is a set of open source tools for scanning code to identify code provenance (origin) and license information:

  • ScanCode Toolkit - is the scanning engine (command-line or library).

  • ScanCode.io - is an application that scripts and automates Software Composition Analysis.

  • ScanCode LicenseDB - is a database of more than 1400 open source or other licenses detected by ScanCode.

  • ScanCode Workbench - is the desktop application to view Scans.

ScanCode supports all programming languages and environments. And you can update license detection rules with data – no programming required.

The AboutCode community works on many other projects to help make open source easier to use

  • AboutCode Toolkit - provides tools to document origin, license and usage metadata for your code in ABOUT files and generate attribution documents and software inventory or BOM reports.

  • TraceCode Toolkit - traces the use of software components from development to deployment or distribution.

  • Smaller open source projects like container-inspector and license-expression to share common libraries and utilities used in AboutCode projects .

For a complete list of the FOSS libraries and utilities maintained or supported by the AboutCode community, see our Libraries page.

VulnerableCode is a set of open source tools to build a comprehensive database of software vulnerabilities. VulnerableCode aggregates, correlates and refines software vulnerability information from many sources with the data organized around the emerging standard Package URL. The initial development of VulnerableCode was supported by the NLNet Foundation.

Package URL is the specification and implementation for “purl”, an abbreviation for a “package (mostly universal) URL”. purl is used across AboutCode projects (with implementations for seven major languages) and many other important projects, including CycloneDX (OWASP) and ORT. purl is being considered by the US NTIA as a possible CPE replacement.