Hi, 1. ossindex from sonatype covers a lot 2. not sure what you means, findbugs or more checkstyle/pmd? 3. rat plugin for example (see apache creadur tools too, there are license tools). Also note that with the initial dep review + review of the license each time a new dep is added in standard asf review flow you rarely need to scan them actually. 4. you can also check binary only contains your code + deps so no need to rescan in such a case.
Blackduck is good but does not scale well for huge projects (> 60 modules) and is not free, sourceclear is also a not that bad alternative but is not free too I think. My 2cts being that the previous setup works well for asf projects, stays free and integrated to the build (compared to blackduck or sourceclear which are using two steps/async process as solutions). Hope it helps Le mer. 4 sept. 2019 à 23:13, Xun Hu <xun...@futurewei.com> a écrit : > We would like to scan our code to: > 1) dependency analysis > 2) snippet matching > 3) license analysis > 4) binary analysis - optional > > We found one paid solution - black duck, not sure there is any open source > solution on the market. > > Thanks, > -xun > > -----Original Message----- > From: Justin Mclean <jus...@classsoftware.com> > Sent: Wednesday, September 4, 2019 1:59 PM > To: general@incubator.apache.org > Subject: Re: What is the best tool to scan the code? > > HI, > > > We have one open source project, and I would like to find a tool to scan > the code before we open it. > > Sorry but it unclear to me, what you what to scan the code for. > > Thanks, > Justin > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >