aboutcode.org

What It Is

AboutCode is not a single tool, but a collection of open-source tools, open data, and open standards for software supply chain security and compliance. It covers the full workflow from software identification, license detection, dependency analysis, and vulnerability aggregation to SBOM/VEX compliance. Core projects include ScanCode Toolkit, ScanCode.io, PurlDB, VulnerableCode, ClearlyDefined, DejaCode, and Package-URL.

Core Capabilities

Functionally, AboutCode focuses on composable SCA building blocks. ScanCode identifies copyrights, licenses, origins, packages, and dependencies; ScanCode.io provides a Web UI, API, and pipeline capabilities for scanning containers, Docker images, package archives, and manifests; PurlDB indexes package metadata using PURL; VulnerableCode aggregates more than 30 vulnerability sources and maps them to affected packages; and LicenseDB covers 2,500+ licenses and 35,000+ detection rules. It also supports SBOMs in CycloneDX and SPDX formats, with strong interoperability across standards such as PURL, VERS, CSAF, OpenVEX, OSV, and MITRE CVE.

Open Source, Self-Hosting, and Pricing

The official materials clearly state that AboutCode software is open source, mostly under Apache-2.0. Its data is open as well, mainly under CC-BY-SA-4.0, and can be accessed via public APIs. ScanCode.io can typically be run in Docker containers, and VulnerableCode also provides tools for building your own instance, making the stack suitable for enterprise intranets and private deployments. No commercial plans are listed; overall, it is best viewed as primarily free and open source. DejaCode mentions free trial accounts, but pricing is not disclosed.

Pros and Cons

Its strengths are openness and strong standards support, helping avoid vendor lock-in. Its data models for licenses, vulnerabilities, SBOMs, and package identifiers are relatively complete. The community has 700+ contributors, and its components are widely adopted by both open-source and commercial SCA tools. The downsides are that the ecosystem contains many projects, so initial implementation requires understanding the boundaries between components; unified commercial support, SLAs, hosted services, and payment methods are not clearly described in the official content.

Who It’s For and Access from China

AboutCode is well suited to OSPOs, legal and compliance teams, security teams, platform engineering teams, and organizations that want to build their own software supply chain data platform. If you simply want a ready-to-use SaaS product, Snyk, Sonatype, Mend, Black Duck, and similar options may be easier to adopt. Access from mainland China is not discussed in the official materials. Since community channels may involve GitHub, Slack, Google Meet, and similar services, network availability could be uncertain. Before formal adoption, teams should test access to the official website, public APIs, images, and dependency downloads.