Skip to main content
Product Context Dependency is a powerful feature that allows you to enforce fine-grained control over component usage within your codebase. Instead of simply tracking which components exist, you can define rules about where they should (and shouldn’t) be used.

Prerequisites

Ensure scanoss-py is installed: 
pip3 install scanoss
For enhanced performance with fast winnowing: 
pip3 install scanoss[fast_winnowing]
Verify installation: 
scanoss-py --version

Getting Started

Initial Discovery Scan

Run a comprehensive scan to discover all components in your project: 
scanoss-py scan -D -o results.json /path/to/folder
Options explained:
  • -D or --dependencies: Enable dependency detection
  • -o results.json: Output file for scan results
  • /path/to/folder: Scan the specified folder. You can use . to scan the current directory.
The first scan should be run without a scanoss.json file to discover all components in your project.

Identify Undeclared Components

Inspect the scan results to find components not yet declared in your configuration: 
scanoss-py inspect undeclared -i results.json
Sample Output: 
{
  "bom": {
    "include": [
      {
        "purl": "pkg:github/scanoss/engine"
      },
      {
        "purl": "pkg:github/scanoss/scanoss.py"
      }
    ]
  }
}

Create scanoss.json Configuration

Create a scanoss.json file in the same directory you’re scanning to declare approved components: 
{
  "self": {
    "name": "scanoss-project",
    "version": "1.0.0",
    "license": "GPL-2.0-only",
    "description": "Project using SCANOSS engine and Python SDK"
  },
  "bom": {
    "include": [
      {
        "purl": "pkg:github/scanoss/engine",
        "comment": "Approved: Core SCANOSS engine used for software composition analysis"
      },
      {
        "purl": "pkg:github/scanoss/scanoss.py",
        "comment": "Approved: Python client library for SCANOSS API"
      }
    ]
  }
}

Rescan with Configuration

Apply your configuration by rescanning with the settings file: 
scanoss-py scan -D --settings scanoss.json -o results.json /path/to/folder
The tool will now detect scanoss.json in the scan directory.

Validate Compliance

After scanning with your configuration, verify that all components are properly declared: 
scanoss-py inspect undeclared -i results.json
Success output: 
0 undeclared component(s) were found.
The output will list any undeclared components that need to be added to your scanoss.json.

Advanced Context Rules

Path-Specific Restrictions

Restrict components to specific directories in your project: 
{
  "bom": {
    "include": [
      {
        "purl": "pkg:github/scanoss/engine@5.0.0",
        "path": "src/",
        "comment": "Engine core allowed in source directory only"
      },
      {
        "purl": "pkg:github/scanoss/scanoss.py@v1.3.6",
        "path": "src/",
        "comment": "Python SDK for scanning operations in source"
      }
    ]
  }
}

Version Upgrade Management

Enforce version upgrades or library replacements: 
{
  "bom": {
    "replace": [
      {
        "purl": "pkg:github/scanoss/engine@5.0.0",
        "replace_with": "pkg:github/scanoss/engine@5.0.2",
        "path": "src/",
        "license": "GPL-2.0-only",
        "comment": "Upgrade to latest engine version (5.0.2 available)"
      },
      {
        "purl": "pkg:github/scanoss/scanoss.py@v1.3.6",
        "replace_with": "pkg:github/scanoss/scanoss.py@v1.4.0",
        "path": "src/",
        "license": "MIT",
        "comment": "Upgrade Python SDK for latest features and security fixes"
      }
    ]
  }
}

License Compliance Configuration

Based on the mixed licenses detected in your scan: 
{
  "self": {
    "name": "scanoss-project",
    "version": "1.0.0",
    "license": "GPL-2.0-only",
    "description": "Project using SCANOSS components with GPL-2.0 compatibility"
  },
  "bom": {
    "include": [
      {
        "purl": "pkg:github/scanoss/engine@5.0.0",
        "path": "src/copyright.c",
        "license": "GPL-2.0-only",
        "comment": "Approved: Engine component - GPL-2.0 copyleft license"
      },
      {
        "purl": "pkg:github/scanoss/scanoss.py@v1.3.6",
        "path": "src/scanner_test.py",
        "license": "MIT",
        "comment": "Approved: Python SDK - MIT license (permissive)"
      }
    ]
  }
}
Learn more about creating and managing scanoss.json files: SCANOSS Settings Documentation