Skip to content

1.3.1

Choose a tag to compare

View all tags
@oscarvalenzuelab oscarvalenzuelab released this 08 Nov 21:46
· 77 commits to main since this release
v1.3.1
8a5c809

First Public Release

We're excited to announce the first public release of mcp-semclone, a Model Context Protocol server that brings comprehensive OSS compliance and vulnerability analysis capabilities to LLMs.

After extensive internal development and testing, we're now making this powerful toolchain integration available to the community.

What is mcp-semclone?

mcp-semclone integrates the complete SEMCL.ONE toolchain to provide LLMs with powerful software composition analysis capabilities:

  • License Detection & Compliance: Scan codebases for licenses and validate against policies
  • Binary Analysis: Analyze compiled binaries (APK, EXE, DLL, SO, JAR) for OSS components and licenses
  • Vulnerability Assessment: Query multiple vulnerability databases for security issues
  • Package Discovery: Identify packages from source code and generate PURLs
  • SBOM Generation: Create Software Bill of Materials in SPDX/CycloneDX formats
  • Policy Validation: Check license compatibility and organizational compliance

Key Features

11 MCP Tools covering:

  • Directory and binary scanning
  • Package and vulnerability checking
  • Policy validation and license compatibility
  • Commercial risk analysis
  • SBOM generation

MCP Resources & Prompts:

  • License database access
  • Pre-configured policy templates
  • Guided compliance and vulnerability workflows

Featured Example: Strands Agent with Ollama

This release includes a complete autonomous agent demonstrating OSS compliance analysis using local LLMs.

Highlights:

  • Autonomous decision-making: Plan → Execute → Interpret → Report loop
  • Local LLM support: llama3, gemma3, deepseek-r1 via Ollama
  • Interactive & batch modes
  • Complete privacy: No external API dependencies
  • Production-ready error handling

See examples/strands-agent-ollama/ for complete documentation and setup.

Integrated SEMCL.ONE Tools

Latest versions of all SEMCL.ONE tools:

  • osslili 1.5.7 - License detection with TLSH fuzzy matching
  • binarysniffer 1.11.3 - Binary analysis for OSS components
  • src2purl 1.3.4 - Package identification with fuzzy matching
  • purl2notices 1.2.7 - Legal notice generation
  • ospac 1.2.2 - Policy engine with comprehensive license rules
  • vulnq 1.0.2 - Vulnerability database queries (OSV, GitHub, NVD)
  • upmex 1.6.7 - Package metadata extraction for 12+ ecosystems

Why mcp-semclone?

  • Comprehensive: 11 tools covering license compliance, vulnerabilities, and SBOM generation
  • Production-Ready: Built on mature SEMCL.ONE toolchain
  • LLM-Native: Designed specifically for MCP integration with detailed guidance for LLMs
  • Privacy-First: Can run completely local with Ollama
  • Multi-Ecosystem: Supports 12+ package ecosystems
  • Battle-Tested: Extensively tested internally before public release

Getting Started

See the README for installation and configuration instructions.

Documentation

Support

We welcome contributions and feedback from the community!

Part of the SEMCL.ONE Software Composition Analysis toolchain

Assets 2
Loading