Getting Started with Canvass for Compliance (CFC)
Quickly become familiar with Canvass for Compliance.
Canvass for Compliance (CFC), formerly known as LiAnORT, detects the presence of software licenses within your source code and accurately identifies exact licenses and versions. In order to use Canvass for Compliance, the following steps are needed:
- Create an account. Canvass for Compliance requires a Canvass Labs account to submit a job.
- Download the client. The CFC Client will need to be downloaded and installed in order to scan the user’s source code and send anonymized results to Canvass Labs servers for analysis.
- Download ORT (optional). To detect license information in software dependencies used by your project, the OSS Review Toolkit (ORT) will need to be downloaded and installed.
Submitting a Job
CFC can scan either a source tree or its dependencies (or both).
To scan a source tree, simply feed the path of the source tree to the
LiAnORT scan /my/source/tree/path
When this command is called, CFC will scan your entire source tree, extracting comments from source files and text
from files like
At no time is your source code ever copied to CanvassLabs, as the only information about your source code sent to our servers are these text strings.
With this client-server model, your organization benefits from continuous updates and zero-deployment hassles,
while protecting the value of your intellectual property (IP).
If there are parts of your source tree you don't want scanned,
you can use the
ignore argument, along with the the UNIX-style wildcards '*' and '?' to have CFC ignore them.
./LiAnORT scan /my/source/tree/path ignore '*/venv/*' ignore '*.sock'
Once the text strings are packaged up and sent to CanvassLabs, CFC should reply with a job number:
Your job number is: 1
By default, the source tree scan does not include analysis of your source code’s dependencies (for example, the packages imported into the source code by package managers). If you want CFC to also scan these dependencies, you will need to download and install the supported ORT version and run the ORT analyzer on your source code. Doing so allows CFC to obtain versioning information specific to your operating environment.
After an ORT
analyze command is run on your source tree, you can submit the result to CFC for dependency scanning:
LiAnORT scan ./analyzer-result.yml
You can submit your source tree metadata and analyzer results at the same time for a more comprehensive scan:
LiAnORT scan ./sample_project ./sample-analyzer-result.yml
get command is used to download the results of CFC jobs given the job id returned when a job is submitted.
get is called from the command line, then the results for that job will be downloaded automatically to the current directory.
get is otherwise called in interactive mode, then you will be prompted to download the results to the current directory.
charlie@rivera:~/Development$ ./LiAnORT LiAnORT version 1.3.1, Build 39 Type "help" or "?" for help. LiAnORT> get NUM STATUS POSTED TIME FILES PKGS RUN TIME ------------------------------------------------------------ 729 Processing 2021-06-29 12:55:06 1154 0 1.27 min LiAnORT>
If no job ids are provided, then the job id of the most recently submitted job will be used. If a job is still in progress, then the command will instead list its status.
Possible job statuses include:
Canvass Labs will email you every time the status of a CFC job is changed.
You can use the
list command to check on the status of all of your CFC jobs.
LiAnORT> list NUM STATUS POSTED TIME FILES PKGS RUN TIME -------------------------------------------------------------------------------- 682 Completed+ 2021-06-13 16:18:27 0 27 4.28 minutes 681 Completed+ 2021-06-13 16:12:01 0 27 4.36 minutes 680 Completed+ 2021-06-13 16:10:48 0 27 11.51 seconds 679 Completed+ 2021-06-13 16:01:37 0 27 4.36 minutes 678 Completed+ 2021-06-13 15:48:27 0 27 4.40 minutes 677 Completed+ 2021-06-13 15:42:02 0 27 10.98 seconds 676 Completed+ 2021-06-11 22:30:10 0 27 22.65 minutes 675 Completed 2021-06-11 22:27:49 0 5 12.99 seconds 674 Completed 2021-06-10 08:42:13 0 2423 12.84 minutes 673 Completed 2021-06-08 18:12:48 0 2423 8.85 hours 672 Completed 2021-06-08 12:35:33 0 5 1.03 minutes 671 Completed+ 2021-06-08 12:32:27 0 2 10.42 seconds 670 Completed+ 2021-06-08 12:21:42 0 2 2.95 minutes 669 Completed+ 2021-06-08 12:16:51 0 2 3.25 minutes 668 Completed+ 2021-06-08 12:13:57 0 2 10.85 seconds Press 'Q' to quit, or another key to continue...
A completed job can also be retrieved from the download URL provided by the corresponding completion email.
Job Result Details
Job results are stored in a tar.gz file. On Linux and MacOS, the contents can be extracted by right-clicking
the file and then clicking Extract Here
or via the command line using the command
tar zxvf my_file.tar.gz.
Window 10 users may need to download a file archiver to open this file.
Job results are stored in a directory with a unique name of 32 random characters.
Results for the source-tree will be stored in the sub-directory
source, while results for the ORT
analyze output file will be stored in
ORT-compatible summary results are stored in the file
scan-result.yml, while native output from LiAn
will be stored in
A report summary is stored in the file