Fast, portable and reliable dependency analysis for any codebase. Supports license reporting, large monoliths and polyglot projects. Integrates with 20+ build systems.
Clone or download
Permalink
Failed to load latest commit information.
.circleci fix(upload) remove duplication of flags to fix upload (#366) Oct 24, 2018
.github chore: Consolidate GH templates Aug 3, 2018
.vscode WIP Jun 8, 2018
analyzers feat(gomodules) add support for gomodules (#368) Nov 5, 2018
api added flags for specifying the team in fossa, and a link (#287) Sep 27, 2018
buildtools feat(gomodules) add support for gomodules (#368) Nov 5, 2018
cmd/fossa fix(upload) remove duplication of flags to fix upload (#366) Oct 24, 2018
config fix(module options) allow command line options for multi module builds ( Oct 19, 2018
docker feat(circle.yml) aggregate coverage for multiple reports within a sin… Oct 8, 2018
docs doc(builders): fix nuget doc file Jul 2, 2018
errors Refactor logging: add structured fields and multiplexed backends (#241) Aug 30, 2018
exec feat(AnalyzerTest) canonical reference for slimming docker test imag… Sep 26, 2018
files remove unused fn Sep 14, 2018
graph fix(readtree): Fix 1-index handling Aug 16, 2018
module Refactor analyser discovery (#211) Aug 4, 2018
pkg Third-party tarballs (#227) Aug 21, 2018
testing feat(ruby analyzer integration test) add ruby analyzer integration te… Oct 10, 2018
vcs Refactor logging: add structured fields and multiplexed backends (#241) Aug 30, 2018
vendor update go-git to v4.7.1 (#374) Nov 8, 2018
.dockerignore fix(test): Fail on panic and returned errors Jul 19, 2018
.fossa.yml WIP: Go dep analysis Jun 11, 2018
.gitignore feat(circle.yml) aggregate coverage for multiple reports within a sin… Oct 8, 2018
.goreleaser.yml Make sure that release tags start with 'v' (#322) Oct 5, 2018
CHANGELOG.md chore: Add TODO structs, doc formatting nits Jul 20, 2018
DCO chore(doc): add DCO Feb 1, 2018
Gopkg.lock update go-git to v4.7.1 (#374) Nov 8, 2018
Gopkg.toml Add dependency check to build (#302) Sep 28, 2018
LICENSE chore(license): switch to MPL-2.0 Mar 13, 2018
Makefile build: Rebuild on source change, use MacOS-compatible find (#332) Oct 9, 2018
NOTICE doc(notice): clean up notice Mar 6, 2018
README.md feat(circle.yml) aggregate coverage for multiple reports within a sin… Oct 8, 2018
codecov.yml test(python analyzer) add native python analyzer integration tests (#307 Oct 8, 2018
install.ps1 Add Powershell streams Jun 9, 2018
install.sh refactor(install): Use godownloader instead of custom install script (#… Sep 28, 2018
test.sh test(nodejs integration) add full nodejs integration test (#297) Oct 1, 2018

README.md

FOSSA

fossa-cli - Fast, portable and reliable dependency analysis for any codebase.

Background

fossa analyzes complex codebases to generate dependency reports and license notices. By leveraging existing build environments, it can generate fast and highly-accurate results.

Features:

  • Supports over 20+ languages & environments (JavaScript, Java, Ruby, Python, Golang, PHP, .NET, etc...)
  • Auto-configures for monoliths; instantly handles multiple builds in large codebases
  • Fast & portable; a cross-platform binary you can drop into CI or dev machines
  • Generates offline documentation for license notices & third-party attributions
  • Tests dependencies against license violations, audits and vulnerabilities (coming soon!) by integrating with https://fossa.io

Click here to learn more about the reasons and technical details behind this project.

Installation

Install on MacOS (Darwin) or Linux amd6 using curl:

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash

Install on Windows using cmd.exe:

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install.ps1'))"

These commands will execute scripts to fetch and install the latest Github Release.

Quick Start

Run fossa -o in your repo directory to output a dependency report in JSON:

[
  {
    "Name": "fossa-cli",
    "Type": "golang",
    "Manifest": "github.com/fossas/fossa-cli/cmd/fossa",
    "Build": {
      "Dependencies": [
        {
          "locator": "go+github.com/rhysd/go-github-selfupdate$d5c53b8d0552a7bf6b36457cd458d27c80e0210b",
          "data": {
            "name": "github.com/rhysd/go-github-selfupdate",
            "version": "d5c53b8d0552a7bf6b36457cd458d27c80e0210b"
          }
        },
        ...
      ],
      ...
    }
  },
  ...
]

Run fossa and provide a FOSSA API Key to get a rich, hosted report:

export FOSSA_API_KEY="YOUR_API_KEY_HERE"

# Now, you can just run `fossa`!
fossa

# Output:
# ==========================================================
#
#    View FOSSA Report: https://app.fossa.io/{YOUR_LINK}
#
# ==========================================================

Configuration

Initialize configuation and scan for supported modules:

fossa init # writes to `.fossa.yml`

This will initialize a .fossa.yml file that looks like this:

version: 1

cli:
  server: https://app.fossa.io
  project: github.com/fossas/fossa-cli

analyze:
  modules:
    - name: fossa-cli
      path: ./cmd/fossa
      type: go

# ...

Check out our User Guide to learn about editing this file.

After configuration, you can now preview and upload new results:

# Run FOSSA analysis and preview the results we're going to upload
fossa -o

# Run FOSSA and upload results
# Going forward, you only need to run this one-liner
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa

Integrating with CI

Testing for License Violations

If you've integrated with https://fossa.io, you can use fossa test to fail builds against your FOSSA scan status.

# Exit with a failing status and dump an issue report to stderr
# if your project fails its license scan
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa test

# Output:
# --------------------------
# - exit status (1)
#
# * FOSSA discovered 7 license issue(s) in your dependencies:
#
# UNLICENSED_DEPENDENCY (3)
# * pod+FBSnapshotTestCase$1.8.1
# * pod+FBSnapshotTestCase$2.1.4
# * pod+Then$2.1.0
#
# POLICY_FLAG (4)
# * mvn+com.fasterxml.jackson.core:jackson-core$2.2.3
# * npm+xmldom$0.1.27
# * pod+UICKeyChainStore$1.0.5
# * gem+json$1.7.7
#
# ✖ FOSSA license scan failed: 7 issue(s) found.

Generating License Notices

To generate a license notice with each CI build, you can use the fossa report command:

# write a license notice to NOTICE.txt
fossa report --type licenses > NOTICE.txt

See this repo's NOTICE file for an example.

License data is provided by https://fossa.io's 500GB open source registry.

Reference

Check out the User Guide for more details.

Development

View our Contribution Guidelines to get started.

Join our public Slack Channel.

If you're in San Francisco, come to our monthly Open Source Happy Hour to meet us F2F!

License

fossa is Open Source and licensed under the MPL-2.0.

You are free to use fossa for commercial or personal purposes. Enjoy!

FOSSA Status