Getting Started with Canvass for Compliance (CFC)

Quickly become familiar with Canvass for Compliance.


Canvass for Compliance (CFC), formerly known as LiAnORT, detects the presence of software licenses within your source code and accurately identifies exact licenses and versions. In order to use Canvass for Compliance, the following steps are needed:

  1. Create an account. Canvass for Compliance requires a Canvass Labs account to submit a job.
  2. Download the client. The CFC Client will need to be downloaded and installed in order to scan the user’s source code and send anonymized results to Canvass Labs servers for analysis.
  3. Download ORT (optional). To detect license information in software dependencies used by your project, the OSS Review Toolkit (ORT) will need to be downloaded and installed.

Submitting a Job

CFC can scan either a source tree or its dependencies (or both). To scan a source tree, simply feed the path of the source tree to the scan command:

LiAnORT scan /my/source/tree/path

When this command is called, CFC will scan your entire source tree, extracting comments from source files and text from files like LICENSE.txt and COPYRIGHT. At no time is your source code ever copied to CanvassLabs, as the only information about your source code sent to our servers are these text strings. With this client-server model, your organization benefits from continuous updates and zero-deployment hassles, while protecting the value of your intellectual property (IP).

If there are parts of your source tree you don't want scanned, you can use the ignore argument, along with the the UNIX-style wildcards '*' and '?' to have CFC ignore them. For example:

./LiAnORT scan /my/source/tree/path ignore '*/venv/*' ignore '*.sock'

Once the text strings are packaged up and sent to CanvassLabs, CFC should reply with a job number:

Your job number is: 1

By default, the source tree scan does not include analysis of your source code’s dependencies (for example, the packages imported into the source code by package managers). If you want CFC to also scan these dependencies, you will need to download and install the supported ORT version and run the ORT analyzer on your source code. Doing so allows CFC to obtain versioning information specific to your operating environment.

After an ORT analyze command is run on your source tree, you can submit the result to CFC for dependency scanning:

LiAnORT scan ./analyzer-result.yml

You can submit your source tree metadata and analyzer results at the same time for a more comprehensive scan:

LiAnORT scan ./sample_project ./sample-analyzer-result.yml

Retrieving Results

The get command is used to download the results of CFC jobs given the job id returned when a job is submitted. If get is called from the command line, then the results for that job will be downloaded automatically to the current directory. If get is otherwise called in interactive mode, then you will be prompted to download the results to the current directory.

  charlie@rivera:~/Development$ ./LiAnORT
  LiAnORT version 1.3.1, Build 39
  Type "help" or "?" for help.

  LiAnORT> get

  729	Processing	2021-06-29 12:55:06	1154	0       1.27 min

If no job ids are provided, then the job id of the most recently submitted job will be used. If a job is still in progress, then the command will instead list its status.

Possible job statuses include: new, processing, completed, aborted, requeued, and failed. Canvass Labs will email you every time the status of a CFC job is changed. You can use the list command to check on the status of all of your CFC jobs.

  LiAnORT> list

  682	Completed+	2021-06-13 16:18:27	0	27	4.28 minutes
  681	Completed+	2021-06-13 16:12:01	0	27	4.36 minutes
  680	Completed+	2021-06-13 16:10:48	0	27	11.51 seconds
  679	Completed+	2021-06-13 16:01:37	0	27	4.36 minutes
  678	Completed+	2021-06-13 15:48:27	0	27	4.40 minutes
  677	Completed+	2021-06-13 15:42:02	0	27	10.98 seconds
  676	Completed+	2021-06-11 22:30:10	0	27	22.65 minutes
  675	Completed 	2021-06-11 22:27:49	0	5	12.99 seconds
  674	Completed 	2021-06-10 08:42:13	0	2423	12.84 minutes
  673	Completed 	2021-06-08 18:12:48	0	2423	8.85 hours
  672	Completed 	2021-06-08 12:35:33	0	5	1.03 minutes
  671	Completed+	2021-06-08 12:32:27	0	2	10.42 seconds
  670	Completed+	2021-06-08 12:21:42	0	2	2.95 minutes
  669	Completed+	2021-06-08 12:16:51	0	2	3.25 minutes
  668	Completed+	2021-06-08 12:13:57	0	2	10.85 seconds
  Press 'Q' to quit, or another key to continue...

A completed job can also be retrieved from the download URL provided by the corresponding completion email.

Job Result Details

Job results are stored in a tar.gz file. On Linux and MacOS, the contents can be extracted by right-clicking the file and then clicking Extract Here or via the command line using the command tar zxvf my_file.tar.gz. Window 10 users may need to download a file archiver to open this file.

Job results are stored in a directory with a unique name of 32 random characters. Results for the source-tree will be stored in the sub-directory source, while results for the ORT analyze output file will be stored in dependencies. ORT-compatible summary results are stored in the file scan-result.yml, while native output from LiAn will be stored in native-scan-results.

A report summary is stored in the file license_summary_report.html.