README
¶
fossa-cli - Fast, portable and reliable dependency analysis for any codebase.
Background
fossa analyzes complex codebases to generate dependency reports and license notices. By leveraging existing build environments, it can generate fast and highly-accurate results.
Features:
- Supports over 20+ languages & environments (JavaScript, Java, Ruby, Python, Golang, PHP, .NET, etc...)
- Auto-configures for monoliths; instantly handles multiple builds in large codebases
- Fast & portable; a cross-platform binary you can drop into CI or dev machines
- Generates offline documentation for license notices & third-party attributions
- Tests dependencies against license violations, audits and vulnerabilities (coming soon!) by integrating with https://fossa.io
Click here to learn more about the reasons and technical details behind this project.
Installation
Install on MacOS (Darwin) or Linux amd6 using curl:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
Install on Windows using cmd.exe:
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install.ps1'))"
These commands will execute scripts to fetch and install the latest Github Release.
Quick Start
Run fossa -o in your repo directory to output a dependency report in JSON:
[
{
"Name": "fossa-cli",
"Type": "golang",
"Manifest": "github.com/fossas/fossa-cli/cmd/fossa",
"Build": {
"Dependencies": [
{
"locator": "go+github.com/rhysd/go-github-selfupdate$d5c53b8d0552a7bf6b36457cd458d27c80e0210b",
"data": {
"name": "github.com/rhysd/go-github-selfupdate",
"version": "d5c53b8d0552a7bf6b36457cd458d27c80e0210b"
}
},
...
],
...
}
},
...
]
Run fossa and provide a FOSSA API Key to get a rich, hosted report:
export FOSSA_API_KEY="YOUR_API_KEY_HERE"
# Now, you can just run `fossa`!
fossa
# Output:
# ==========================================================
#
# View FOSSA Report: https://app.fossa.io/{YOUR_LINK}
#
# ==========================================================
Configuration
Initialize configuation and scan for supported modules:
fossa init # writes to `.fossa.yml`
This will initialize a .fossa.yml file that looks like this:
version: 1
cli:
server: https://app.fossa.io
project: github.com/fossas/fossa-cli
analyze:
modules:
- name: fossa-cli
path: ./cmd/fossa
type: go
# ...
Check out our User Guide to learn about editing this file.
After configuration, you can now preview and upload new results:
# Run FOSSA analysis and preview the results we're going to upload
fossa -o
# Run FOSSA and upload results
# Going forward, you only need to run this one-liner
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa
Integrating with CI
Testing for License Violations
If you've integrated with https://fossa.io, you can use fossa test to fail builds against your FOSSA scan status.
# Exit with a failing status and dump an issue report to stderr
# if your project fails its license scan
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa test
# Output:
# --------------------------
# - exit status (1)
#
# * FOSSA discovered 7 license issue(s) in your dependencies:
#
# UNLICENSED_DEPENDENCY (3)
# * pod+FBSnapshotTestCase$1.8.1
# * pod+FBSnapshotTestCase$2.1.4
# * pod+Then$2.1.0
#
# POLICY_FLAG (4)
# * mvn+com.fasterxml.jackson.core:jackson-core$2.2.3
# * npm+xmldom$0.1.27
# * pod+UICKeyChainStore$1.0.5
# * gem+json$1.7.7
#
# ✖ FOSSA license scan failed: 7 issue(s) found.
Generating License Notices
To generate a license notice with each CI build, you can use the fossa report command:
# write a license notice to NOTICE.txt
fossa report --type licenses > NOTICE.txt
See this repo's NOTICE file for an example.
License data is provided by https://fossa.io's 500GB open source registry.
Reference
Check out the User Guide for more details.
Development
View our Contribution Guidelines to get started.
Join our public Slack Channel.
If you're in San Francisco, come to our monthly Open Source Happy Hour to meet us F2F!
License
fossa is Open Source and licensed under the MPL-2.0.
You are free to use fossa for commercial or personal purposes. Enjoy!
Directories
¶
| Path | Synopsis |
|---|---|
|
Package analyzers defines analyzers for various package types.
|
Package analyzers defines analyzers for various package types. |
|
bower
Package bower implements analyzers for the Bower package manager.
|
Package bower implements analyzers for the Bower package manager. |
|
golang
Package golang implements the analyzer for Go.
|
Package golang implements the analyzer for Go. |
|
golang/resolver
Package resolver provides Go resolvers.
|
Package resolver provides Go resolvers. |
|
gradle
Package gradle implements analyzers for Gradle.
|
Package gradle implements analyzers for Gradle. |
|
nodejs
Package nodejs provides analyzers for Node.js projects.
|
Package nodejs provides analyzers for Node.js projects. |
|
php
Package php implements analyzers for PHP.
|
Package php implements analyzers for PHP. |
|
python
Package python provides analysers for Python projects.
|
Package python provides analysers for Python projects. |
|
ruby
Package ruby provides analysers for Ruby projects.
|
Package ruby provides analysers for Ruby projects. |
|
Package api provides low-level primitives for implementing interfaces to various HTTP APIs.
|
Package api provides low-level primitives for implementing interfaces to various HTTP APIs. |
|
fossa
Package fossa provides a high-level interface to the FOSSA API (by default, located at https://app.fossa.io).
|
Package fossa provides a high-level interface to the FOSSA API (by default, located at https://app.fossa.io). |
|
buildtools
|
|
|
dep
Package dep provides functions for working with the dep tool.
|
Package dep provides functions for working with the dep tool. |
|
gdm
Package gdm implements a Go package resolver for the gdm tool.
|
Package gdm implements a Go package resolver for the gdm tool. |
|
glide
Package glide provides functions for working with the glide tool.
|
Package glide provides functions for working with the glide tool. |
|
gocmd
Package gocmd provides functions for working with the Go tool.
|
Package gocmd provides functions for working with the Go tool. |
|
godep
Package godep provides functions for working with the godep tool.
|
Package godep provides functions for working with the godep tool. |
|
govendor
Package govendor provides tools for working with govendor.
|
Package govendor provides tools for working with govendor. |
|
cmd
|
|
|
fossa/cmd/init
Package init implements `fossa init`.
|
Package init implements `fossa init`. |
|
fossa/cmdutil
Package cmdutil provides common utilities for subcommands.
|
Package cmdutil provides common utilities for subcommands. |
|
Package config implements application-level configuration functionality.
|
Package config implements application-level configuration functionality. |
|
Package errutil contains common application-level errors.
|
Package errutil contains common application-level errors. |
|
Package files implements utility routines for finding and reading files.
|
Package files implements utility routines for finding and reading files. |
|
Package log implements application-level logging.
|
Package log implements application-level logging. |
|
Package module defines a FOSSA CLI module.
|
Package module defines a FOSSA CLI module. |
|
Package monad implements common monomorphic monads.
|
Package monad implements common monomorphic monads. |
|
Package pkg defines a generic software package.
|
Package pkg defines a generic software package. |
|
Package vcs implements functions for interacting with version control systems.
|
Package vcs implements functions for interacting with version control systems. |