• Stars
    star
    1,268
  • Rank 37,109 (Top 0.8 %)
  • Language
    Haskell
  • License
    Other
  • Created almost 7 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.

FOSSA

FOSSA CLI

FOSSA Downloads Build Dependency scan FOSSA Security Status

FOSSA License Status

fossa-cli is a zero-configuration polyglot dependency analysis tool. You can point fossa CLI at any codebase or build, and it will automatically detect dependencies being used by your project.

fossa-cli currently supports automatic dependency analysis for many different build tools and languages. It also has limited support for vendored dependency detection, container scanning, and system dependency detection. These features are still a work in progress. Our goal is to make the FOSSA CLI a universal tool for dependency analysis.

fossa-cli integrates with FOSSA for dependency analysis, license scanning, vulnerability scanning, attribution report generation, and more.

Table of Contents

  1. Installation
  2. Getting Started
  3. User Manual
  4. Reporting Issues
  5. Contributing

Installation

Using the install script

FOSSA CLI provides an install script that downloads the latest release from GitHub Releases for your computer's architecture. You can see the source code and flags at install-latest.sh for Mac and Linux or install-latest.ps1 for Windows.

NOTE: You may need to add the downloaded executable to your $PATH. The installer script will output the installed path of the executable. You can also use -b to pick the installation directory when using install-latest.sh (see the install-latest.sh source code for details).

macOS or 64-bit Linux

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Windows with Powershell

Set-ExecutionPolicy Bypass -Scope Process -Force; iex  ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.ps1'))

Alternatively, install using Scoop:

scoop install fossa

Please refer to detailed walkthrough Installing FOSSA CLI, for installing FOSSA CLI 1.x and using GitHub Releases to install FOSSA CLI manually.

Getting Started

Integrating your project with FOSSA

TL;DR, Linux, Mac, *nix-like

# Download FOSSA.
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

# Set your API key. Get this from the FOSSA web application.
export FOSSA_API_KEY=XXXX

# Run an analysis in your project's directory.
cd $MY_PROJECT_DIR
fossa analyze

TL;DR, Windows

# Download FOSSA.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex  ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.ps1'))

# Set your API key. Get this from the FOSSA web application.
$env:FOSSA_API_KEY=XXXX

# Run an analysis in your project's directory.
cd $MY_PROJECT_DIR
fossa analyze

Installing FOSSA CLI

Follow the installation instructions above to install the FOSSA CLI. Once installed, you should have a new binary named fossa available on your $PATH.

Generating an API key

To get started with integrating your project into FOSSA, you'll need to generate an API key. You'll get this API key from the FOSSA web application (app.fossa.com).

Once you have your API key:

export FOSSA_API_KEY=XXXX # Use your API key here.

Running an analysis

Now we can run an analysis. To run an analysis, all you need to do is navigate to your project's directory and run fossa analyze.

NOTE: While fossa will try its best to report available results for any kind of project, you'll get the best results by running in a directory with a working project build. A working build lets us integrate directly with your build tool to identify dependencies, instead of trying to infer dependencies from your source code.

$ cd $MY_PROJECT_DIR # Use your actual project location here.

$ fossa analyze
[ INFO] Using project name: `https://github.com/fossas/fossa-cli`
[ INFO] Using revision: `09ca72e398bb32747b27c0f43731678fa42c3c26`
[ INFO] Using branch: `No branch (detached HEAD)`
[ INFO] ============================================================

      View FOSSA Report:
      https://app.fossa.com/projects/custom+1%2fgithub.com%2ffossas%2ffossa-cli/refs/branch/master/09ca72e398bb32747b27c0f43731678fa42c3c26

  ============================================================

Viewing your results

Once an analysis has been uploaded, you can view your results in the FOSSA web application. You can see your analysis by using the link provided as output by fossa analyze, or by navigating to your project and revision in the FOSSA web application.

What next?

Now that your analysis is complete, there are a couple things you might want to do after an initial integration:

  • Double-check your results. Some analysis methods may produce partial or unexpected results depending on what information was available when you ran the analysis. If something seems wrong, our debugging guide can help you diagnose and debug your integration.

  • Scan for issues and generate a compliance report. Once your analysis is ready, we'll automatically queue an issue scan and report the results in the web application. Once an issue scan is complete, you can also generate a report from the web application.

  • Set up FOSSA in your CI. You can also use your issue scan results as inputs to CI scripts. For GitHub repositories, you can use FOSSA's native GitHub integration to report a status check on your PRs. For other CI integrations, you can also use fossa test to get programmatic issue status in CI.

User Manual

For most users, the FOSSA CLI will work out-of-the-box without any configuration. Just get an API key, run fossa analyze, and view your results in the FOSSA web application.

Users who need advanced customization or features should see the User Manual. Some common topics of interest include:

Reporting Issues

If you've found a bug or need support, the best way to get support is via the FOSSA support portal.

Make sure to include reproduction steps and any relevant project files (e.g. pom.xmls, package.jsons, etc.). Including the output from fossa analyze --debug in the email as well as any relevant fossa files (fossa-deps.json, .fossa.yml) will help expedite a solution.

We'll try to respond to issues opened in this repository on a best-effort basis, but we mostly provide support via the FOSSA support portal.

Contributing

If you're interested in contributing, check out our contributor documentation. PRs are welcome!

More Repositories

1

commons-clause

A license condition for source-available sustainability.
HTML
116
star
2

fossa-action

Find license compliance and security issues in your applications with FOSSA and GitHub Actions.
TypeScript
44
star
3

spectrometer

Flexible, robust, and performant dependency analysis.
Shell
21
star
4

haskell-static-alpine

Statically linked distributions of GHC for building binaries in Docker.
Dockerfile
11
star
5

broker

The bridge between FOSSA and internal services
Rust
7
star
6

fossa-circleci-plugin

circleci script to check for FOSSA scans
JavaScript
5
star
7

srclib-rust

srclib (srclib.org) toolchain for Rust with Cargo package manage support.
Rust
4
star
8

cpp-vsi-demo

C/C++ Demo using Vendored Source Identification (VSI)
Shell
4
star
9

faktory-plugins

Additional middleware for Faktory
Go
4
star
10

mocha-tape-deck

The easiest way to create, manage, and replay http interactions for fast, deterministic tests that can easily become integration tests
TypeScript
4
star
11

values

FOSSA's engineering values.
3
star
12

license-cli

[DEPRECATED] A CLI for running FOSSA license scans across your dependencies, for your termainal or CI.
JavaScript
3
star
13

post_sales_scripts

This repository will contain a host of scripts written by members of the FOSSA Support and Customer Success teams. Most of these scripts have some sort of useful functionality around automating your usage of the FOSSA tool.
Python
3
star
14

example-project-rust

An example Rust project integrated with FOSSA
Rust
2
star
15

pg_fossa

PostgreSQL extension for FOSSA
PLpgSQL
2
star
16

open-source-happy-hour

Come have a drink and talk about Open Source!
2
star
17

meta-fossa

A yocto layer to analyze Yocto/BitBake images using fossa-cli
BitBake
2
star
18

cse-challenge-dropwizard

CSE interview repository
2
star
19

fossa-jenkins-plugin

Fossa jenkins plugin
Java
2
star
20

cse-challenge-ma

1
star
21

spectrometer-tests

Haskell
1
star
22

fossabot-sandbox

1
star
23

srclib-php

JavaScript
1
star
24

srclib-pip

A requirements scanner for srclib
Python
1
star
25

test-vps-android-project

This is a test Android project for VPS
Java
1
star
26

fossa-license-corrections

Scripts for license corrections in FOSSA
JavaScript
1
star
27

1to3

Go
1
star
28

fossa-inbound-usage-workflow

1
star
29

faktory_worker_node_unique

A wrapper for NodeJS Faktory client that implements Unique Job feature of Faktory Ent
Shell
1
star
30

hasql-pool

Haskell
1
star
31

haskell-dev-tools

`haskell-dev-tools` container and automation
Shell
1
star
32

fossa-cli-orb

1
star
33

support-tools

Shell
1
star
34

go-resolve

Resolve a Go package's revision given its vendored source code.
Go
1
star
35

foundation-libs

Shared Rust libraries for cross-language functionality.
Rust
1
star
36

charts-util

Freely available utility charts.
Smarty
1
star
37

pom-takehome

JavaScript
1
star
38

locator-rs

The FOSSA "locator" type in a Rust library.
Rust
1
star
39

echotraffic

View traffic sent by FOSSA CLI
Go
1
star
40

one

Used in integration tests
1
star
41

tm-integration-os

Part 2 technical onsite session for the TAM role. Evaluates the candidate's ability to build a project and integrate FOSSA.
1
star
42

example-pbxproj-project

1
star
43

fossa-travisci-plugin

Custom build script for travis ci to check on FOSSA builds and scans
JavaScript
1
star
44

lib-fingerprint

Common fingerprinting library
Rust
1
star