mcp-semclone
Verified Safeby SemClone
Overview
Provides LLMs with comprehensive Open Source Software (OSS) compliance, license management, and software supply chain security capabilities, including vulnerability analysis, SBOM generation, and policy validation.
Installation
mcp-semcloneEnvironment Variables
- GITHUB_TOKEN
- NVD_API_KEY
- PURL2NOTICES_PATH
- OSSLILI_PATH
- BINARYSNIFFER_PATH
- VULNQ_PATH
- OSPAC_PATH
- UPMEX_PATH
- MCP_LOG_LEVEL
Security Notes
The server orchestrates external SEMCL.ONE CLI tools via `subprocess.run`. While arguments are passed as lists to mitigate shell injection within the Python wrapper, the security relies heavily on the robustness of these external tools and their handling of user-provided arguments. The `download_and_scan_package` tool downloads package artifacts from public registries, which introduces risk, although it notes checksum verification 'when available'. There are no direct `eval` or hardcoded credentials within the server's Python code. File operations on user-provided paths also warrant careful monitoring and sandboxing.
Similar Servers
code-index-mcp
Intelligent code indexing and analysis for Large Language Models, enabling tasks such as code review, refactoring, documentation generation, debugging assistance, and architectural analysis.
dependency-management-mcp-server
Connects AI assistants to Sonatype's dependency management and security intelligence platform for real-time insights into open source security, license compliance, and dependency health within the development workflow.
VibeShift
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
codebase-context
Provides AI coding agents with real-time, context-rich insights into a codebase's patterns, libraries, architecture, and conventions to improve code generation quality and alignment with team standards.