mcp-semclone

mcp-semclone is an MCP server that wraps the SEMCL.ONE toolchain to provide LLMs with OSS compliance, vulnerability analysis, and SBOM generation capabilities. It exposes tools for scanning codebases and binaries, validating licenses, generating SBOMs, and performing comprehensive policy checks. Typical workflows include scanning a project directory for licenses and vulnerabilities, analyzing a binary to identify OSS components, generating legal notices, and validating licenses against organizational policies. Once the server is running, you can invoke its CLI or integrate it with MCP clients to drive automated compliance checks, vulnerability assessments, SBOM generation, and policy validation within your LLM-enabled workflows.

Prerequisites:

• Python 3.10+ and a valid Python environment
• Internet access to install the package from PyPI
• Optional: pipx if you want isolated, globally accessible CLI tools

Install the MCP server:

# Basic installation (installs the MCP server and all SEMCL.ONE tooling as Python packages)
pip install mcp-semclone

Option 1: Run directly with Python (recommended for quick setup):

python -m mcp_semclone

Option 2: Install with pipx for global access (recommended for long-running setups):

# Install pipx if needed
python -m pip install --user pipx
python -m pipx ensurepath

# Install the MCP server in an isolated environment
pipx install mcp-semclone

# Inject SEMCL.ONE tools into the same environment (optional but recommended for CLI access)
pipx inject mcp-semclone purl2notices purl2src osslili binarysniffer ospac vulnq upmex --include-apps

Configuration (optional):

• Set environment variables for API keys or custom tool paths as described in the README (e.g., GITHUB_TOKEN, NVD_API_KEY, PURL2NOTICES_PATH, etc.).
• If tools are not in PATH, point to their locations using the corresponding environment variables.

Run the server:

python -m mcp_semclone

Notes and tips:

• The server exposes a rich set of tools under the SEMCL.ONE umbrella; typical commands include: scan_directory, scan_binary, check_package, download_and_scan_package, generate_legal_notices, generate_sbom, validate_policy, and run_compliance_check.
• For best results, install the SEMCL.ONE dependencies in a single environment (especially when using pipx inject) to ensure all CLI tools are accessible.
• If you encounter PATH or tool-detection issues, use the optional environment variables described in the README to explicitly point to the tool executables.
• For IDE integrations or agent workflows, you can rely on the provided prompts and workflows to guide license compliance, vulnerability assessments, and SBOM generation.
• Remember to consider rate limits and API keys (e.g., NVD, GitHub) if you rely on external data sources for vulnerability scanning or license metadata.