MCP (Model Context Protocol) server that provides LLMs with comprehensive OSS compliance and vulnerability analysis capabilities through the SEMCL.ONE toolchain.
mcp-semclone integrates the complete SEMCL.ONE toolchain to provide LLMs with powerful software composition analysis capabilities:
- License Detection & Compliance: Scan codebases for licenses and validate against policies
- Binary Analysis: Analyze compiled binaries (APK, EXE, DLL, SO, JAR) for OSS components and licenses
- Vulnerability Assessment: Query multiple vulnerability databases for security issues
- Package Discovery: Identify packages from source code and generate PURLs
- SBOM Generation: Create Software Bill of Materials in CycloneDX format
- Policy Validation: Check license compatibility and organizational compliance
Analysis & Scanning:
scan_directory- Comprehensive directory scanning for packages, licenses, and vulnerabilitiesscan_binary- Analyze compiled binaries (APK, EXE, DLL, SO, JAR) for OSS componentscheck_package- Check specific packages for licenses and vulnerabilitiesdownload_and_scan_package- Download package source from registries and perform deep license/copyright scanning
Legal Notices & Documentation:
generate_legal_notices- Generate legal notices by scanning source code directly (fast, recommended)generate_legal_notices_from_purls- Generate legal notices from PURL list (downloads from registries)generate_sbom- Generate Software Bill of Materials in CycloneDX format
License & Policy Validation:
validate_policy- Validate licenses against organizational policiesvalidate_license_list- Quick license safety validation for distribution typesget_license_obligations- Get detailed compliance requirements for licensescheck_license_compatibility- Check if two licenses can be mixedget_license_details- Get comprehensive license information including full textanalyze_commercial_risk- Assess commercial distribution risks
Complete Workflows:
run_compliance_check- Universal one-shot compliance workflow for any project type
license_database- Access license compatibility informationpolicy_templates- Get pre-configured policy templates
compliance_check- Guided workflow for license compliance checkingvulnerability_assessment- Guided workflow for security assessment
pip install mcp-semcloneThis automatically installs all required SEMCL.ONE tools:
- purl2notices - Comprehensive package detection and license extraction
- osslili - License detection from archives (used by check_package)
- binarysniffer - Binary analysis for OSS components
- ospac - Policy validation engine
- vulnq - Vulnerability database queries
- upmex - Package metadata extraction (used by check_package)
pipx installs the package in an isolated environment while making the CLI tools globally available. This is ideal for avoiding dependency conflicts with other Python packages on your system.
# Install pipx if you don't have it
pip install pipx
pipx ensurepath
# Install mcp-semclone
pipx install mcp-semclone
# IMPORTANT: Inject all SEMCL.ONE tool dependencies into the same isolated environment
# This ensures all tools are available both as libraries and CLI commands
# Required by some agents that need direct CLI tool access
# Use --include-apps to make CLI commands globally available
pipx inject mcp-semclone purl2notices purl2src osslili binarysniffer ospac vulnq upmex --include-appsBenefits of pipx:
- ✅ Isolated environment prevents dependency conflicts
- ✅ All tools globally accessible in PATH
- ✅ Easy to update:
pipx upgrade mcp-semclone - ✅ Clean uninstall:
pipx uninstall mcp-semclone
git clone https://github.com/SemClone/mcp-semclone.git
cd mcp-semclone
pip install -e .[dev]Quick Start - Basic Configuration:
Add to your MCP client configuration file (e.g., .cursor/mcp.json, Cline settings, .kiro/settings/mcp.json):
{
"mcpServers": {
"semclone": {
"command": "/path/to/your/.local/pipx/venvs/mcp-semclone/bin/python3",
"args": ["-m", "mcp_semclone.server"],
"env": {}
}
}
}Find your pipx Python path:
# macOS/Linux
echo "$HOME/.local/pipx/venvs/mcp-semclone/bin/python3"
# Or locate automatically
pipx list --include-injected | grep mcp-semclone -A 3📖 For detailed setup instructions including:
- IDE-specific configurations (Cursor, Cline, Kiro, VS Code, JetBrains)
- Auto-approve settings
- pip vs pipx configurations
- Configuration templates
- Troubleshooting
See the IDE Integration Guide
Optional environment variables for enhanced functionality:
# API Keys (optional, for higher rate limits)
export GITHUB_TOKEN="your_github_token"
export NVD_API_KEY="your_nvd_api_key"
# Tool paths (optional, only if tools are not in PATH)
# Tools are auto-detected by default using shutil.which()
export PURL2NOTICES_PATH="/custom/path/to/purl2notices"
export OSSLILI_PATH="/custom/path/to/osslili"
export BINARYSNIFFER_PATH="/custom/path/to/binarysniffer"
export VULNQ_PATH="/custom/path/to/vulnq"
export OSPAC_PATH="/custom/path/to/ospac"
export UPMEX_PATH="/custom/path/to/upmex"Note: Tools are automatically detected in your PATH. Environment variables are only needed for custom installation locations.
Once configured, you can ask your LLM:
- "Scan /path/to/project for license compliance issues"
- "Analyze this Android APK file for OSS components and licenses"
- "Check if this project has any critical vulnerabilities"
- "Generate an SBOM for my project"
- "What licenses are in this compiled binary?"
- "Validate these licenses against our commercial distribution policy"
- "Find all GPL-licensed dependencies in this codebase"
from mcp import Client
import asyncio
async def main():
async with Client("mcp-semclone") as client:
# Scan a directory
result = await client.call_tool(
"scan_directory",
{
"path": "/path/to/project",
"check_vulnerabilities": True,
"check_licenses": True
}
)
print(f"Found {result['metadata']['total_packages']} packages")
print(f"Found {result['metadata']['total_vulnerabilities']} vulnerabilities")
# Scan a binary file
binary_result = await client.call_tool(
"scan_binary",
{
"path": "/path/to/app.apk",
"analysis_mode": "deep",
"check_compatibility": True
}
)
print(f"Found {binary_result['metadata']['component_count']} components")
print(f"Licenses: {binary_result['licenses']}")
# Check a specific package
package_result = await client.call_tool(
"check_package",
{"identifier": "pkg:npm/express@4.17.1"}
)
print(f"Vulnerabilities: {package_result['vulnerabilities']}")
asyncio.run(main())- Scan the project to identify all packages and licenses
- Load or create a policy defining allowed/denied licenses
- Validate licenses against the policy
- Generate compliance report with violations and recommendations
- Discover packages in the codebase
- Query vulnerability databases for each package
- Prioritize by severity (CRITICAL > HIGH > MEDIUM > LOW)
- Identify available fixes and upgrade paths
- Generate security report with remediation steps
- Scan project structure to identify components
- Extract metadata for each component
- Detect licenses and copyright information
- Format as SBOM (CycloneDX 1.4 JSON)
- Validate completeness of the SBOM
┌─────────────────┐
│ LLM Client │
│ (MCP Client) │
└────────┬────────┘
│ MCP Protocol
┌────────▼────────┐
│ mcp-semclone │
│ MCP Server │
└────────┬────────┘
│ Subprocess calls
┌────────▼──────────────────────────┐
│ SEMCL.ONE Toolchain │
├────────────────────────────────────┤
│ purl2notices │ Package + License │
│ osslili │ Archive scanning │
│ binarysniffer│ Binary analysis │
│ vulnq │ Vulnerability DB │
│ ospac │ Policy engine │
│ upmex │ Metadata extract │
└────────────────────────────────────┘
The MCP server includes comprehensive instructions that help LLMs understand how to use the tools effectively. These instructions are automatically injected into the LLM's context when using the server, providing:
- License-first approach: The server prioritizes license detection before package identification or vulnerability scanning
- Efficient execution order: Tools are orchestrated in an optimal sequence (licenses → packages → vulnerabilities → policy validation)
- Smart dependency handling: Package identification is only performed when needed for vulnerability checks or detailed SBOMs
- When to use
scan_directory(comprehensive analysis) vscheck_package(single package lookup) - How tools interact (e.g.,
generate_sbomautomatically callsscan_directoryinternally) - Specialized tools for specific scenarios (e.g.,
analyze_commercial_riskfor mobile/commercial distribution)
- Vulnerability scanning is limited to the first 10 packages to avoid timeouts
- Recursive scanning depth limits: 10 for licenses, 5 for package identification
- 120-second timeout per tool invocation
- Guidance for handling large codebases
The server provides ready-to-use workflow examples:
- Basic compliance check: License inventory without package identification
- Full security assessment: Complete vulnerability analysis with package discovery
- Policy validation: Automated license compliance checking
- Commercial risk analysis: Copyleft detection for mobile/commercial use
- SBOM generation: Supply chain transparency documentation
This enables LLMs to automatically choose the right tool combination, optimize performance, and follow best practices without requiring user expertise in OSS compliance workflows.
The MCP server orchestrates multiple SEMCL.ONE tools:
- purl2notices: Comprehensive package detection, license scanning, and copyright extraction (primary scanning tool)
- osslili: License detection in archives and compressed files (used by check_package)
- binarysniffer: Binary analysis for compiled artifacts (APK, EXE, DLL, SO, JAR)
- vulnq: Queries vulnerability databases (OSV, GitHub, NVD)
- ospac: Validates licenses against policies
- upmex: Extracts package metadata from manifests (used by check_package)
See examples/basic_usage.py for simple examples of calling MCP tools directly.
A complete autonomous agent example demonstrating OSS compliance analysis using local LLM (Ollama) with MCP integration.
Location: examples/strands-agent-ollama/
Features:
- Autonomous decision-making (plan → execute → interpret → report)
- Local LLM inference via Ollama (llama3, gemma3, deepseek-r1)
- Interactive and batch analysis modes
- Custom policy enforcement
- Complete privacy (no external API calls)
Quick Start:
cd examples/strands-agent-ollama
./quickstart.sh
python agent.py interactiveDocumentation:
- README.md - Complete usage guide
- TUNING.md - Optimization guide
- OVERVIEW.md - Architecture reference
Use Cases:
- Mobile app compliance (APK/IPA analysis)
- Embedded/IoT firmware scanning
- CI/CD integration
- Interactive compliance queries
See the example directory for full details.
Use SEMCL.ONE tools directly within your AI-powered IDE for seamless OSS compliance analysis during development.
- Cursor IDE - AI-first code editor
- Cline - AI coding extension for VS Code
- Kiro IDE - Amazon's agentic AI IDE
- VS Code - With MCP extension
- JetBrains IDEs - With AI plugin
-
Install mcp-semclone with pipx (recommended):
pipx install mcp-semclone pipx inject mcp-semclone purl2notices osslili binarysniffer ospac vulnq upmex
-
Configure your IDE - Add MCP server configuration (see guide for IDE-specific paths)
-
Restart your IDE
Once integrated, ask your IDE's AI:
- "Check this project for license compliance issues"
- "What licenses are used in my dependencies?"
- "Is this package safe for commercial distribution?"
- "Generate SBOM for this release"
- "Create NOTICE file for mobile app"
📖 Complete documentation: See IDE Integration Guide
# Run all tests
pytest
# Run with coverage
pytest --cov=mcp_semclone tests/
# Run specific test
pytest tests/test_server.py -v# Build package
python -m build
# Install locally for testing
pip install -e .- Tools not found: Ensure all SEMCL.ONE tools are installed and in PATH
- API rate limits: Add API keys to environment variables
- Permission errors: Check file/directory permissions
- Large codebases: Use recursive=False or limit scan depth
Enable debug logging:
export MCP_LOG_LEVEL=DEBUG
python -m mcp_semclone.server- API keys are optional but recommended for production use
- The server runs tools via subprocess with user permissions
- Vulnerability data is fetched from public APIs
- No data is sent to external services without explicit tool calls
We welcome contributions! Please see CONTRIBUTING.md for details.
mcp-semclone is released under the Apache License 2.0. See LICENSE for details.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Report vulnerabilities to security@semcl.one
Part of the SEMCL.ONE Software Composition Analysis toolchain