Skip to content

SemClone/ossval

BranchesTags

Repository files navigation

OSSVAL - Open Source Software Valuation

License Python PyPI version

Calculate the development cost savings from using open source software by analyzing SBOMs or package lists. Provides comprehensive cost estimation using COCOMO II and SLOCCount models with regional salary data, project type detection, and comprehensive source code analysis.

Features

  • Multi-Ecosystem Support: PyPI, npm, Cargo, Maven, Go, RubyGems, and more
  • Cost Estimation Models: COCOMO II and SLOCCount with configurable parameters
  • Regional Salary Data: 18+ regions with accurate cost calculations
  • Project Type Detection: Automatic classification with appropriate multipliers
  • Source Code Analysis: SLOC counting, complexity analysis, and health metrics
  • Multiple Input Formats: SBOMs (CycloneDX, SPDX) and lockfiles (requirements.txt, package.json, etc.)
  • Comprehensive Output: Text, JSON, and CSV formats with detailed breakdowns

Installation

pip install ossval

Quick Start

# Analyze an SBOM file
ossval analyze sbom.json

# Specify region for salary calculations
ossval analyze sbom.json --region us_sf

# Output to JSON
ossval analyze sbom.json --format json --output results.json

# Quick estimate from SLOC
ossval estimate --sloc 50000 --region us_sf --type compiler

Usage

CLI Usage

# Analyze an SBOM or lockfile
ossval analyze pyproject.toml

# With specific region
ossval analyze package.json --region us_sf

# Output formats
ossval analyze sbom.json --format json --output results.json

# Skip repository cloning (faster, but no SLOC analysis)
ossval analyze sbom.json --no-clone

# List supported formats and configurations
ossval formats list              # Show all supported input formats
ossval formats project-types     # Show project types with cost multipliers
ossval formats methodologies     # Show available cost estimation models

# Cache management
ossval cache clear
ossval cache info

Examples

Analyze Python Project

ossval analyze pyproject.toml --region global_average

Analyze npm Project

ossval analyze package-lock.json --format json --output npm-analysis.json

Compare Regions

ossval analyze sbom.json --region us_sf > us_sf_results.txt
ossval analyze sbom.json --region global_average > global_results.txt

Quick Cost Estimate

ossval estimate --sloc 100000 --region us_sf --type framework
# Output:
# Estimated cost: $16,754,251
#   Range: $11,727,975 - $25,131,376
#   Effort: 22.1 person-years
#   Methodology: COCOMO II

Integration with SEMCL.ONE

OSSVAL is a core component of the SEMCL.ONE ecosystem, enabling comprehensive OSS valuation and cost analysis:

  • Works with purl2src for repository URL discovery from Package URLs
  • Integrates with purl2notices for complete legal compliance workflows
  • Supports SBOM analysis from CycloneDX and SPDX formats
  • Complements osslili for license analysis and compliance checking

Methodology

Cost Estimation Models

COCOMO II (Primary)

The most sophisticated model, based on Barry Boehm's COCOMO II:

  • Effort Formula: Effort = a × (KSLOC)^b × EAF × Complexity × Project_Type
  • Cost Formula: Cost = Effort × Monthly_Salary × Region_Multiplier
  • Default Parameters: a=2.94, b=1.0997, EAF=1.0
  • Confidence Range: 70%-150% of estimate
  • Accounts for: Project type, complexity, team experience

SLOCCount (Alternative)

Simpler model based on David Wheeler's SLOCCount:

  • Effort Formula: Effort = a × (KSLOC)^b
  • Default Parameters: a=2.4, b=1.05
  • Faster but less sophisticated
  • Lower confidence scores

Project Types and Multipliers

OSSVAL automatically detects project types and applies appropriate cost multipliers:

Project Type Salary Multiplier Effort Multiplier Examples
Cryptography 1.60x 1.26x openssl, libsodium, bcrypt
Operating System 1.50x 1.22x kernel, drivers, firmware
Compiler 1.50x 1.22x gcc, llvm, babel, typescript
Database 1.40x 1.18x postgres, mysql, redis, mongo
Machine Learning 1.40x 1.18x tensorflow, pytorch, sklearn
Graphics 1.30x 1.14x opengl, vulkan, game engines
Embedded 1.25x 1.12x firmware, rtos, iot, arduino
Networking 1.20x 1.10x http, grpc, websocket, proxy
Scientific 1.20x 1.10x scipy, numpy, pandas, matplotlib
Framework 1.15x 1.07x react, django, rails, spring
DevTools 1.10x 1.05x linters, formatters, bundlers
Library 1.00x 1.00x (baseline)
Script 0.70x 0.84x utilities, helpers, cli tools

Complexity Levels

Code complexity affects cost estimates:

  • Trivial: 0.7x multiplier
  • Simple: 0.9x multiplier
  • Moderate: 1.0x multiplier (baseline)
  • Complex: 1.3x multiplier
  • Very Complex: 1.7x multiplier

Contributing

We welcome contributions! Please see the repository for details on:

  • Development setup
  • Submitting pull requests
  • Reporting issues

Support

For support and questions:

License

Apache License 2.0 - see LICENSE file for details.

Part of the SEMCL.ONE ecosystem for comprehensive OSS compliance and code analysis.

About

OSSVAL - Open Source Software Valuation

Topics

scanner python3 license ospo sbom legal-tech sbom-tool semclone

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

1.2.2 Latest
Dec 9, 2025
+ 2 releases

Contributors 2

  •  
  •  

Languages