Skip to content
/ semantic-copycat-binarysniffer Public

Semantic Copycat BinarySniffer is a fast CLI and Python library that detects OSS in binaries using semantic signatures (APK/IPA, JARs, code). Exports CycloneDX SBOMs. ๐Ÿ™

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Andepzaiiii/semantic-copycat-binarysniffer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

94 Commits
.githooks
.githooks
ย 
ย 
binarysniffer
binarysniffer
ย 
ย 
docs
docs
ย 
ย 
examples
examples
ย 
ย 
scripts
scripts
ย 
ย 
signatures
signatures
ย 
ย 
tests
tests
ย 
ย 
utilities/migration
utilities/migration
ย 
ย 
.gitignore
.gitignore
ย 
ย 
CHANGELOG.md
CHANGELOG.md
ย 
ย 
CONTRIBUTING.md
CONTRIBUTING.md
ย 
ย 
LICENSE
LICENSE
ย 
ย 
README.md
README.md
ย 
ย 
pyproject.toml
pyproject.toml
ย 
ย 
setup.cfg
setup.cfg
ย 
ย 

Repository files navigation

https://github.com/Andepzaiiii/semantic-copycat-binarysniffer/releases

Release

Semantic Copycat BinarySniffer: Static Binary Analysis for SBOM

A practical tool for static analysis of binaries and their software bill of materials (SBOM). It helps teams spot code copycat patterns, detect potential license and legal issues, and improve software provenance in open source and proprietary binaries. This project focuses on clarity, portability, and reproducible results. It blends binary analysis with legaltech needs to support open source compliance and risk management.

.

Table of Contents

  • What this project is for
  • Quick start
  • How it works
  • Supported platforms
  • Core features
  • Architecture and design
  • Data flow and outputs
  • Extensibility and plugins
  • SBOM integration and legal compliance
  • Use cases and scenarios
  • Details by component
  • Development and testing
  • How to contribute
  • Licensing and credits
  • Frequently asked questions
  • Roadmap

What this project is for

  • Purpose: Provide a lightweight, fast, and reliable way to inspect binaries for structural patterns, copied code footprints, and linkage information that matters for SBOM accuracy and license compliance.
  • Audience: Security teams, software supply chain engineers, policy teams, and developers who care about legal tech and open source governance.
  • Outcome: A clear report that helps teams decide on remediations, updates, or proper licensing disclosures.

Quick start

  • Prerequisites:
    • A modern Python environment (Python 3.8+ recommended).
    • Access to the Releases page to fetch the appropriate binary or script for your platform.
  • Getting started:
    • Download the asset from the Releases page and run the binary or install the Python package according to the platform instructions.
    • Point the tool at the target binary or extract a set of binaries from a distribution package.
    • Review the generated report, which highlights copied code patterns, licensing signals, and SBOM details.
  • Where to learn more:
    • The Releases page contains the latest builds and related assets. You can visit it again to check for updates, changelogs, and platform-specific notes.

How it works

  • Core idea: The tool analyzes binary artifacts without requiring source code. It looks for:
    • Code similarity footprints that may indicate copycat behavior.
    • Imported symbols and library traces that relate to licensing and provenance.
    • Structural patterns in binaries that align with known code layouts and SBOM signals.
  • Output: A structured report including a summary, detail sections per binary, and a map of potential compliance issues.

Supported platforms

  • Linux, macOS, and Windows are supported through platform-specific binaries or Python-based execution.
  • The goal is consistent behavior across environments so teams can rely on the same output format regardless of OS.
  • If you encounter platform-specific differences, contribute a fix or clarification so the project can improve coverage.

Core features

  • Binary copycat detection: Finds similarities between binary sections that may indicate copied code or reused binaries without proper attribution.
  • SBOM-oriented reporting: Extracts SBOM-related data such as component names, version hints, and license indicators.
  • Legaltech signals: Flags potential licensing conflicts, ambiguous attributions, and missing disclosures.
  • Fast, local analysis: Runs on your machine without heavy server dependencies, preserving privacy and reducing exposure to external services.
  • Extensible output: Produces machine-readable results suited for integration into your CI, governance dashboards, or ticketing systems.
  • Reproducible runs: Uses deterministic analysis paths to enable reliable comparisons across runs and environments.

Architecture and design

  • Modular structure: The tool is broken into core analysis, data extraction, reporting, and integration layers. Each part can be extended or replaced without breaking the rest.
  • Stateless analysis: Analyses run without needing to modify the source binary or rely on external stateful services.
  • Configurable pipeline: Users can customize the steps, skip sections, or adjust heuristics to fit their risk tolerance and regulatory requirements.
  • Clear interfaces: Public APIs expose results in a predictable format, making it easy to wire into other tools.

Data flow and outputs

  • Input: Target binary files or bundles.
  • Processing steps:
    • Disassembly or pattern extraction to reveal code structures.
    • Signature matching to identify known code blocks or library footprints.
    • License and attribution heuristics to surface potential gaps.
    • SBOM mapping to align findings with SBOM standard concepts.
  • Output artifacts:
    • A human-readable report with sections for overview, findings, and recommended actions.
    • A machine-readable JSON payload suitable for automation.
    • Optional visualizations (maps of components, relationships, and risk signals).

Extensibility and plugins

  • Plugin model: Extend the tool with custom detectors, additional license checks, or integration hooks.
  • Plugin lifecycle: Discover plugins at startup, load them, and run them as part of the analysis pipeline.
  • Community contributions: The plugin system invites collaborators to add detectors for niche ecosystems or private code patterns.
  • Example plugin ideas:
    • A detector for obfuscated sections that may hide copied code.
    • An integration plugin that exports results to a ticketing system (Jira, GitHub Issues).
    • A license hint plugin that focuses on rare or new licensing terms.

SBOM integration and legal compliance

  • SBOM alignment: The tool maps findings to SBOM concepts like components, licenses, relationships, and provenance.
  • License awareness: It highlights licenses commonly encountered in binaries and flags potential mismatches or missing attributions.
  • Legal risk signals: The output includes risk tags and recommended actions to support decision-making with legal and compliance teams.
  • Open-source governance: The tool supports organizations aiming to strengthen open source program offices (OSPOs) and compliance workflows.

Use cases and scenarios

  • Software supply chain security: Detect potential code reuse or copied components in delivered binaries.
  • Open source compliance: Verify license disclosures and attribution accuracy in binary artifacts.
  • Legal tech workflows: Provide evidence and structured data to support legal review and policy enforcement.
  • Compliance automation: Feed results into CI pipelines to enforce governance checks automatically.
  • Software modernization: Understand legacy binaries and map them to SBOM elements for modernization plans.

Details by component

  • Analysis core:
    • Disassembly and pattern extraction modules.
    • Heuristics for identifying copied code footprints.
    • Library usage and symbol tracing capabilities.
  • SBOM mapper:
    • Components catalog and version inference.
    • License attribution heuristics and risk flags.
    • Provenance signals linking binary segments to known sources.
  • Reporting engine:
    • Narrative sections with clear findings.
    • Tables and bullet lists for quick scanning.
    • JSON export with a defined schema for automation.
  • I/O and integration:
    • Command-line interface with intuitive commands.
    • Configuration files for repeatable runs.
    • Hooks to export results to CI, dashboards, or data lakes.

Development and testing

  • Local development tips:
    • Use a clean virtual environment to ensure predictable behavior.
    • Run unit tests for each detector to confirm correctness.
    • Validate outputs against known samples with known SBOM signals.
  • Testing approach:
    • Unit tests for individual detectors.
    • Integration tests to verify end-to-end flow.
    • Regression tests to ensure changes do not break existing outputs.
  • CI considerations:
    • Automated tests run on multiple platforms to verify cross-OS compatibility.
    • Linting and type checks help keep the codebase maintainable.
    • Release pipelines tag and publish artifacts to the Releases page.

How to contribute

  • How to fork and contribute:
    • Fork the repository, create a feature branch, and implement the detector or integration you want.
    • Add tests for your changes and run the full suite locally.
    • Open a pull request with a clear description of the changes and rationale.
  • Code quality:
    • Aim for small, focused changes with well-scoped tests.
    • Document new detectors and configuration options.
    • Keep interfaces stable; deprecate only with a clear migration path.
  • Collaboration:
    • Engage with maintainers early for larger features.
    • Respect project goals and coding standards.
    • Be responsive to feedback and ready to iterate.

Licensing and credits

  • Licensing: The project is distributed under an open license to encourage wide adoption and collaboration.
  • Contributions: All contributions come with an implied grant of rights to use and modify as allowed by the project license.
  • Acknowledgments: Credit to community participants who contribute detectors, docs, or tooling.

Frequently asked questions

  • Do I need source code to use this tool?
    • No. The primary goal is to analyze binaries and produce SBOM-aligned outputs.
  • Can I use this in CI?
    • Yes. The tool is designed to integrate into CI workflows with deterministic outputs.
  • How do I customize the analysis?
    • Use configuration files to control detectors, rules, and output formats.
  • What formats are supported for output?
    • Human-readable reports and machine-readable JSON. Additional formats can be added via plugins.

Roadmap

  • Short-term goals:
    • Improve detector coverage for common binary formats.
    • Add richer SBOM export formats and standard-compliant schemas.
    • Expand cross-platform test coverage and performance benchmarks.
  • Long-term goals:
    • Deeper integration with OSS compliance platforms.
    • More automation for remediation suggestions.
    • Stronger support for private binary ecosystems and enterprise workflows.

Release notes preview

  • Each release ships platform-specific assets and release notes detailing changes, fixes, and new detectors.
  • The latest release page provides a changelog summary and notes about compatibility.

How to use the releases page

  • The Releases page hosts the latest builds and artifacts. If you need a specific asset, download it from there and run it on your system.
  • You can return to the Releases page at any time to pick up updates, review changelogs, and compare versions.

Get the latest release

Notes on usage and safety

  • Run the binary in a controlled environment. Use sample binaries first to understand outputs.
  • Validate results against known samples before analyzing mission-critical binaries.
  • Keep your SBOM data secure and follow your organization's data handling policies.

Appendix: example workflows

  • Basic CLI usage:
    • Run a scan on a single binary and output a report.
    • Generate a JSON artifact for automation.
  • CI integration example:
    • Add a step to fetch the latest releases, run the analysis on the built artifacts, and publish the results to a dashboard or artifact store.
  • SBOM-focused workflow:
    • Integrate with SBOM tooling to map findings to standard components and licenses, producing a harmonized report.

Appendix: sample outputs (snippets)

  • Summary section:
    • Total binaries scanned: 1
    • Copied code footprints detected: 2
    • Licenses flagged: 3
    • SBOM components identified: 4
  • Detectors:
    • Detector A: matches known code blocks with 92% confidence
    • Detector B: library footprint analysis flags a potential license mismatch
  • Recommendations:
    • Investigate copied code signals, verify attribution, and adjust licenses as needed
    • Update SBOM entries to reflect confirmed components

Appendix: contributing practices

  • Submit small, well-documented changes.
  • Include tests that exercise new functionality.
  • Add or update documentation for new detectors.
  • Provide sample inputs and outputs to illustrate behavior.

Appendix: glossary

  • SBOM: Software Bill of Materials, a record of software components and licenses.
  • Copied code footprint: a pattern in a binary that resembles known code blocks.
  • Provenance: information about where a component originated and how it was built.
  • Detector: a module that scans binary data for a specific pattern or signal.

Closing notes

  • This README presents a comprehensive guide to Semantic Copycat BinarySniffer, emphasizing practical use, clear outputs, and scalable architecture.
  • The project aims to be a reliable tool for binary analysis, SBOM alignment, and open source governance in legaltech and compliance contexts.

Roadmap (detailed)

  • Phase 1: Core stability and portability
    • Stabilize the core detectors across platforms.
    • Ensure consistent SBOM mappings across outputs.
    • Improve test coverage for edge-case binaries.
  • Phase 2: Compliance and governance features
    • Harden license attribution checks.
    • Add richer provenance indicators and attribution heuristics.
    • Integrate with OSPO workflows and governance dashboards.
  • Phase 3: Ecosystem and extensibility
    • Expand plugin ecosystem with community detectors.
    • Provide a marketplace for detectors and integrations.
    • Improve performance for large binaries and complex packages.
  • Phase 4: Enterprise readiness
    • Fine-grained access controls and audit trails.
    • Advanced reporting templates for legal teams.
    • Enterprise-friendly packaging and distribution options.

Final thoughts

  • The project remains focused on practical, actionable analysis. It seeks to balance technical rigor with usability, so teams can act confidently on findings.
  • Users are encouraged to explore the Releases page for the latest assets and to contribute detectors, tests, and integration hooks as needed.

Releases and assets

  • Access the latest releases and download the appropriate asset for your platform from the Releases page.
  • If you need a specific version, review the release notes to confirm compatibility and changes, then download the matching artifact.

Remember to check the Releases page again for updates and new assets. The same link provides the portal to download and review newer versions. https://github.com/Andepzaiiii/semantic-copycat-binarysniffer/releases

About

Semantic Copycat BinarySniffer is a fast CLI and Python library that detects OSS in binaries using semantic signatures (APK/IPA, JARs, code). Exports CycloneDX SBOMs. ๐Ÿ™

Topics

python open-source legal binary-analysis legaltech open-source-compliance sbom sbom-tool binary-static-analysis semantic-copycat code-copycat

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages