FOSSA: Audit-Grade Open Source Dependency Protection

Automate License Compliance with FOSSA

What is FOSSA?

FOSSA is a software composition analysis tool that continuously scans for open-source components and tracks dependencies and license compliance. FOSSA is an open source management platform used by companies like UBER, SLACK, and NIKE with a policy engine. They have default policies for websites and hosted services that are used for Statistical Analysis System applications.

Use case of FOSSA

FOSSA helps you to manage your open-source components. FOSSA plugs into your development workflow to help your team automatically track, manage, and remediate issues with the open source you use to:

  • Stay compliant with software licenses and generate required attribution documents
  • Enforce usage and licensing policies throughout your CI/CD workflow
  • Monitor and remediate security vulnerabilities
  • Flag code quality issues and outdated components proactively

Open-source software is a huge asset for a growing company but open-source license compliance can be difficult using legacy tools that are inflexibly forcing the legal team to spend too much time manually addressing gaps. So we need an automated way to cover all license approval scenarios. FOSSA works with all our favorite coding languages- python, C/C++, JavaScript, etc. So Let’s begin with How to run your first scan using FOSSA.

STEP-1 CREATE AN ACCOUNT

Enter the mail id –

After signing up you have to choose between options as shown in the image (we are going to follow both options). We are using QUICK IMPORT option .

QUICK IMPORT= TESTING

CLI METHOD = IN-DEPTH SCAN

Step -2 INTEGRATION AND AUTHORIZATION

Choose GitHub (Make sure you already have a GitHub account and repository)

Choosing connect with service

Authorize FOSSA for your all public repository available in Git-hub

STEP-3 SELECT YOUR REPO

Select the repository

After selecting the repository it contains the following Information :

  1. Branch Name
  2. Issues
  3. Dependencies
  4. License
  5. report

Output after importing the repository:

STEP-4 READY TO SCAN

It is showing 81 Dependencies , 36 License also create Flagged dependencies.

UNDERSTANDING SCAN RESULTS

Now it shows following information:

  • Flagged issue
  • The licensing issue
  • Package that uses the license ( Example-GPL_3.0-only )
  • Direct or transitive Dependency ( Direct-1 )
  • Time when it was found ( Example-an hour ago )

In FOSSA Licensing issue can be-

  • FLAGGED– Needs review
  • DENIED– Replace
  • UNLICENSED– None Found

Choosing the cli option

While choosing cli option it will redirect to this page

Steps to follow –

  1. Install ‘fossa-cli’
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

2. Set your API key (this is different for every user)

export FOSSA_API_KEY=8fe8f6384fbcgh7662b9767743867ae63

Now in terminal go through the repo you want to scan and run this – 

fossa analyze

Output-

It will generate an output report . Clicking on link you can redirect the same page as shown earlier

Some cli commands-

fossa analyze
fossa test
fossa report

Also you can generate and publish reports in format like HTML , json , text etc.

Conclusion

So in a world where Open source is a critical part of your software. In the average modern software product, over 80% of the source code shipped is derived from open source. Each component can have cascading legal, security, and quality implications for your customers, making it one of the most important things to manage correctly. Overall, FOSSA can be used in any context where open-source software is used and needs to be managed.

Blog Pundits: Mehul Sharma and Sandeep Rawat

OpsTree is an End-to-End DevOps Solution Provider.

Contact Us

Connect with Us

Leave a Reply