1.3.5

Release v1.3.5 Summary

Version

• Updated from 1.3.4 to 1.3.5

Added

IDE Integration Guide

• Cocumentation for Cursor and Kiro IDE integration
• Complete setup instructions for Cursor IDE MCP server configuration
• Kiro IDE integration with autoApprove configuration examples
• VS Code and JetBrains IDEs integration references
• Configuration templates (.cursor/mcp.json.example, .kiro/settings/mcp.json.example)
• Troubleshooting guide and best practices
• Use case examples for IDE-integrated compliance analysis
• Updated MANIFEST.in to include IDE configuration examples in distributions

Changed

Strands Agent: Enhanced Compliance Reports

• JSON-structured LLM output for reliable parsing (replaces markdown format)
• Rich library table formatting with color-coded panels and styled columns
• License deduplication in package tables (eliminates duplicate license entries)
• Risk indicators with emoji status for visual clarity
• Formatted obligation checklists with checkboxes
• Color-coded compliance panels (green/yellow/red) based on policy status

Model Recommendation Updates

• Changed default Ollama model from llama3 to granite3-dense:8b
• Added warnings about llama3 hallucination issues in documentation
• Updated README with model recommendation and testing observations
• granite3-dense:8b provides accurate, grounded analysis without inventing packages

Benefits

• Developers can now use SEMCL.ONE tools directly within AI-powered IDEs
• Seamless OSS compliance analysis during development workflow
• Enhanced agent output readability with professional table formatting
• More reliable LLM output parsing through structured JSON format
• Cleaner package tables without duplicate license entries
• Better model default reduces the risk of inaccurate compliance reports

1.3.4

v1.3.4 - SBOM and Legal Notices Generation

Release Date: 2025-11-08

This release adds comprehensive SBOM and legal notices generation capabilities, enabling complete end-to-end compliance workflows for LLM clients.

New Features

generate_legal_notices - New MCP Tool

Generate comprehensive legal attribution documentation using purl2notices.

Key Features:

• Takes a list of Package URLs (PURLs) and generates complete attribution documentation
• Supports multiple output formats: text, HTML, and markdown
• Includes copyright notices, license attributions, and full license texts
• Essential for creating NOTICE files for software distribution
• Detailed docstring with usage instructions for autonomous LLM usage

Example Usage:

Generate legal notices for analyzed packages

generate_legal_notices(
purls=["pkg:npm/express@4.0.0", "pkg:pypi/django@4.2.0"],
output_format="text",
output_file="NOTICE.txt"
)

Strands Agent: Batch Processing

Enhanced directory analysis with intelligent batch processing for package collections.

Capabilities:

• Automatic detection of directories containing package archives
• Analyzes each package individually for accurate results
• Aggregates license information across all packages
• Generates comprehensive compliance reports
• Handles 15+ package formats across multiple ecosystems (JAR, WHL, GEM, NPM, etc.)

Example:

Analyze entire directory of packages

python agent.py /path/to/packages/

Enhanced Features

generate_sbom - Dual Input Modes

Significantly enhanced SBOM generation with flexible input options.

What's New:

• Dual input modes: Now accepts either purls (list of Package URLs) OR path (directory scan)
• Better format support: CycloneDX-JSON, CycloneDX-XML, SPDX-JSON, SPDX
• Improved documentation: Clear examples for both usage modes
• Enhanced LLM instructions: Comprehensive docstrings enable better autonomous usage

Example - From PURLs:
generate_sbom(
purls=["pkg:npm/express@4.0.0", "pkg:maven/commons-io/commons-io@2.11.0"],
output_format="cyclonedx-json",
output_file="sbom.json"
)

Example - From Directory:
generate_sbom(
path="/path/to/project",
output_format="spdx-json"
)

Benefits

• Complete compliance workflow: Scan packages → Generate SBOM → Generate legal notices
• Better multi-package support: Batch analysis for directory-based workflows
• LLM-ready: Comprehensive docstrings enable autonomous tool usage by any LLM client
• Clear differentiation: generate_legal_notices (complete attribution) vs generate_mobile_legal_notice (simplified mobile UI)

Complete Workflow Example

1. Batch analyze packages in directory

results = analyze_directory("/path/to/packages")

2. Generate SBOM from discovered packages

generate_sbom(
purls=collected_purls,
output_format="cyclonedx-json",
output_file="project-sbom.json"
)

3. Generate legal notices

generate_legal_notices(
purls=collected_purls,
output_format="html",
output_file="NOTICE.html"
)

Technical Details

Files Changed:

• mcp_semclone/server.py - Added generate_legal_notices tool, enhanced generate_sbom
• examples/strands-agent-ollama/agent.py - Added batch processing capabilities
• tests/test_server.py - Updated tests for new API
• pyproject.toml - Version bump to 1.3.4

Backward Compatibility:
All changes maintain full backward compatibility. Existing code using generate_sbom with path parameter continues to work as expected.

Installation

pip install --upgrade mcp-semclone

Resources

• Documentation: https://github.com/SemClone/mcp-semclone
• SEMCL.ONE Ecosystem: https://semcl.one
• Issue Tracker: https://github.com/SemClone/mcp-semclone/issues

---

Full Changelog: v1.3.3...v1.3.4

1.3.3

[1.3.3] - 2025-11-08

Fixed

• Test Compatibility: Fixed check_package to ensure proper test compatibility
  • Changed check_vulnerabilities default to True to match expected behavior
  • Ensured the vulnerabilities field is always present when check_vulnerabilities=True
  • Improved error propagation for critical failures

Benefits

• All 26 unit tests passing
• Better error handling and reporting
• Consistent API behavior

1.3.1

First Public Release

We're excited to announce the first public release of mcp-semclone, a Model Context Protocol server that brings comprehensive OSS compliance and vulnerability analysis capabilities to LLMs.

After extensive internal development and testing, we're now making this powerful toolchain integration available to the community.

What is mcp-semclone?

mcp-semclone integrates the complete SEMCL.ONE toolchain to provide LLMs with powerful software composition analysis capabilities:

• License Detection & Compliance: Scan codebases for licenses and validate against policies
• Binary Analysis: Analyze compiled binaries (APK, EXE, DLL, SO, JAR) for OSS components and licenses
• Vulnerability Assessment: Query multiple vulnerability databases for security issues
• Package Discovery: Identify packages from source code and generate PURLs
• SBOM Generation: Create Software Bill of Materials in SPDX/CycloneDX formats
• Policy Validation: Check license compatibility and organizational compliance

Key Features

11 MCP Tools covering:

• Directory and binary scanning
• Package and vulnerability checking
• Policy validation and license compatibility
• Commercial risk analysis
• SBOM generation

MCP Resources & Prompts:

• License database access
• Pre-configured policy templates
• Guided compliance and vulnerability workflows

Featured Example: Strands Agent with Ollama

This release includes a complete autonomous agent demonstrating OSS compliance analysis using local LLMs.

Highlights:

• Autonomous decision-making: Plan → Execute → Interpret → Report loop
• Local LLM support: llama3, gemma3, deepseek-r1 via Ollama
• Interactive & batch modes
• Complete privacy: No external API dependencies
• Production-ready error handling

See examples/strands-agent-ollama/ for complete documentation and setup.

Integrated SEMCL.ONE Tools

Latest versions of all SEMCL.ONE tools:

• osslili 1.5.7 - License detection with TLSH fuzzy matching
• binarysniffer 1.11.3 - Binary analysis for OSS components
• src2purl 1.3.4 - Package identification with fuzzy matching
• purl2notices 1.2.7 - Legal notice generation
• ospac 1.2.2 - Policy engine with comprehensive license rules
• vulnq 1.0.2 - Vulnerability database queries (OSV, GitHub, NVD)
• upmex 1.6.7 - Package metadata extraction for 12+ ecosystems

Why mcp-semclone?

• Comprehensive: 11 tools covering license compliance, vulnerabilities, and SBOM generation
• Production-Ready: Built on mature SEMCL.ONE toolchain
• LLM-Native: Designed specifically for MCP integration with detailed guidance for LLMs
• Privacy-First: Can run completely local with Ollama
• Multi-Ecosystem: Supports 12+ package ecosystems
• Battle-Tested: Extensively tested internally before public release

Getting Started

See the README for installation and configuration instructions.

Documentation

• Installation & Quick Start
• Strands Agent Example
• Full Changelog

Support

• Issues: https://github.com/SemClone/mcp-semclone/issues
• Discussions: https://github.com/SemClone/mcp-semclone/discussions
• Security: security@semcl.one

We welcome contributions and feedback from the community!

---

Part of the SEMCL.ONE Software Composition Analysis toolchain