FOSSLight Source Scanner
FOSSLight Source Scanner runs in ScanCode, SCANOSS, and KB (LGE Only) modes.
- ScanCode: Detects copyright and license phrases included in files.
- SCANOSS: Searches OSSKB for OSS Name, OSS Version, Download Location, Copyright, and License information.
- KB (LGE Only): Queries file provenance from LG Electronics' internal Knowledge Database server and outputs OSS Name, OSS Version, and Download Location.
Build scripts, binary files, directories, specific directories (for example,
test), and files in hidden folders are excluded.
Prerequisite
FOSSLight Source Scanner runs on Python 3.10+.
How to Install
FOSSLight Source Scanner can be installed with pip3.
Installing in a python 3.10 + virtualenv environment is recommended.
$ pip3 install fosslight_source
How to Run
After scanning source code, results are output in FOSSLight Report format.
$ fosslight_source [option] <arguments>
Options
📖 Usage
────────────────────────────────────────────────────────────────────
fosslight_source [options] <arguments>
📝 Description
────────────────────────────────────────────────────────────────────
FOSSLight Source Scanner analyzes source code to detect copyright and
license information using several modes.
Note: Build scripts, binary files, and test directories are automatically
excluded from analysis.
📚 Guide: https://fosslight.org/fosslight-guide/scanner/2_source.html
⚙️ General Options
────────────────────────────────────────────────────────────────────
-p <path> Source path to analyze (default: current directory)
-o <path> Output file path or directory
-f <format> Output formats: excel, csv, opossum, yaml, spdx-yaml, spdx-json, spdx-xml, spdx-tag, cyclonedx-json, cyclonedx-xml
(multiple formats can be specified, separated by space)
-e <pattern> Exclude paths from analysis (files and directories)
⚠️ IMPORTANT: Always wrap in quotes to avoid shell expansion
Example: fosslight_source -e "dev/" "tests/" "*.jar"
-m Generate detailed scan results on separate sheets
-h Show this help message
-v Show version information
🔍 Scanner-Specific Options
────────────────────────────────────────────────────────────────────
-s <mode> Choose mode: scancode, scanoss, kb, or all(default)
-c <number> Number of CPU cores/threads to use for scanning
-t <seconds> Timeout in seconds for ScanCode scanning
-j Generate raw scanner results in JSON format
--no_correction Skip OSS information correction with sbom-info.yaml
--correct_fpath <path> Path to custom sbom-info.yaml file
--hide_progress Hide the progress bar during scanning
💡 Examples
────────────────────────────────────────────────────────────────────
# Scan current directory
fosslight_source
# Scan specific path with exclusions
fosslight_source -p /path/to/source -e "test/" "node_modules/"
# Generate output in specific format
fosslight_source -f excel -o results/
# Generate raw scanner results in JSON format
fosslight_source -p /path/to/source -j
- If the
-soption is not provided, results from all modes (ScanCode, SCANOSS, KB) are aggregated. -
Pattern Matching Guide for the
-eoption- ⚠️ Always enter patterns using double quotes (
"").- Example:
fosslight_source -e "dev/" "tests/"
- Example:
- ⚠️ File names and extensions are case-sensitive and must match exactly.
- ⚠️ Always enter patterns using double quotes (
Example
Source code scan
$ fosslight_source -p /home/source_path
Result
$ tree
.
├── fosslight_log_src_260311_1503.txt
└── fosslight_report_src_260311_1544.xlsx
- fosslight_log_src_[datetime].txt: File that stores execution logs
- fosslight_report_src_[datetime].xlsx: Source code analysis result in FOSSLight Report format
- fosslight_opossum_src_[datetime].json: Source code analysis result that can be used in OpossumUI (
-f opossumoption) - fosslight_report_src_[datetime].csv: FOSSLight Report exported as CSV (
-f csvoption) - scancode_raw_result.json: ScanCode execution result (
-joption) - scanoss_raw_result.json: SCANOSS execution result (
-joption) - scanner_output.wfp: Fingerprint generated during SCANOSS execution (
-joption)