download_and_scan_package
Download package source from registries and scan all files for embedded licenses and copyrights, providing comprehensive analysis beyond metadata.
Instructions
Download package source from registry and perform comprehensive analysis.
⚠️ IMPORTANT: This tool CAN and WILL download source code from package registries!
Workflow (tries methods in order until sufficient data is collected):
Primary: Use purl2notices to download and analyze (fastest, most comprehensive)
Deep scan: If incomplete, use purl2src to get download URL → download artifact → run osslili for deep license scanning + upmex for metadata
Maven-specific: If license still missing for Maven packages, uses upmex with --registry --api clearlydefined to resolve parent POM licenses
Online fallback: If still incomplete, use upmex --api clearlydefined/purldb for online metadata
What this tool does:
Downloads the actual package source code from npm/PyPI/Maven/etc registries
Performs comprehensive license and copyright analysis
Extracts package metadata (name, version, homepage, description)
Scans ALL source files for embedded licenses (not just package.json/setup.py/pom.xml)
Returns copyright statements found in actual source code
Maven packages: Automatically resolves parent POM licenses when not declared in package POM
When to use this tool:
Package metadata is incomplete or missing (e.g., "UNKNOWN" license in PyPI)
Need to verify what's ACTUALLY in the package files (not just metadata)
Want to analyze source code directly (not just manifests)
Security auditing - see actual package contents before approval
License compliance - find licenses embedded in source files
Need to extract copyright statements from source code
Real-world example: User asks: "Can you check if duckdb@0.2.3 has license info in the source code?"
PyPI metadata shows "UNKNOWN" license
This tool downloads the actual .whl/.tar.gz from PyPI
Scans ALL files in the package for license information
Finds licenses embedded in source code that aren't in metadata
Returns: {"method_used": "purl2notices", "declared_license": "UNKNOWN", "detected_licenses": ["CC0-1.0"], ...}
Performance:
Primary (purl2notices): 5-15 seconds (fastest)
Deep scan (download + osslili + upmex): 10-30 seconds
Online fallback (upmex --api): 2-5 seconds (but less complete)
Security note:
Downloads are verified against package checksums when available
Files are scanned but NOT executed
Temporary files are cleaned up unless keep_download=True
Args: purl: Package URL (e.g., "pkg:pypi/duckdb@0.2.3", "pkg:npm/express@4.21.2") keep_download: If True, keeps downloaded files for manual inspection (default: False)
Returns: Dictionary containing: - purl: The package URL analyzed - method_used: Which method succeeded ("purl2notices", "deep_scan", "online_fallback") - download_path: Where package was downloaded (if keep_download=True) - metadata: Package metadata (name, version, homepage, etc.) - declared_license: License from package metadata - detected_licenses: List of licenses found by scanning source files - copyright_statements: Copyright statements extracted from source - files_scanned: Number of files analyzed - scan_summary: Summary of what was found
Examples: # Check if package has license info in source code download_and_scan_package(purl="pkg:pypi/duckdb@0.2.3")
# Download and keep files for manual inspection
result = download_and_scan_package(
purl="pkg:npm/suspicious-package@1.0.0",
keep_download=True
)
print(f"Inspect files at: {result['download_path']}")
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| purl | Yes | ||
| keep_download | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |