Automate License Compliance with FOSSA
What is FOSSA?
FOSSA is a software composition analysis tool that continuously scans for open-source components and tracks dependencies and license compliance. FOSSA is an open source management platform used by companies like UBER, SLACK, and NIKE with a policy engine. They have default policies for websites and hosted services that are used for Statistical Analysis System applications.
Use case of FOSSA
FOSSA helps you to manage your open-source components. FOSSA plugs into your development workflow to help your team automatically track, manage, and remediate issues with the open source you use to:
- Stay compliant with software licenses and generate required attribution documents
- Enforce usage and licensing policies throughout your CI/CD workflow
- Monitor and remediate security vulnerabilities
- Flag code quality issues and outdated components proactively
STEP-1 CREATE AN ACCOUNT
Enter the mail id –
After signing up you have to choose between options as shown in the image (we are going to follow both options). We are using QUICK IMPORT option .
QUICK IMPORT= TESTING
CLI METHOD = IN-DEPTH SCAN
Step -2 INTEGRATION AND AUTHORIZATION
Choose GitHub (Make sure you already have a GitHub account and repository)
Choosing connect with service
Authorize FOSSA for your all public repository available in Git-hub
STEP-3 SELECT YOUR REPO
Select the repository
After selecting the repository it contains the following Information :
- Branch Name
Output after importing the repository:
STEP-4 READY TO SCAN
It is showing 81 Dependencies , 36 License also create Flagged dependencies.
UNDERSTANDING SCAN RESULTS
Now it shows following information:
- Flagged issue
- The licensing issue
- Package that uses the license ( Example-GPL_3.0-only )
- Direct or transitive Dependency ( Direct-1 )
- Time when it was found ( Example-an hour ago )
In FOSSA Licensing issue can be-
- FLAGGED– Needs review
- DENIED– Replace
- UNLICENSED– None Found
Choosing the cli option
While choosing cli option it will redirect to this page
Steps to follow –
- Install ‘fossa-cli’
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
2. Set your API key (this is different for every user)
Now in terminal go through the repo you want to scan and run this –
It will generate an output report . Clicking on link you can redirect the same page as shown earlier
Some cli commands-
fossa analyze fossa test fossa report
Also you can generate and publish reports in format like HTML , json , text etc.
So in a world where Open source is a critical part of your software. In the average modern software product, over 80% of the source code shipped is derived from open source. Each component can have cascading legal, security, and quality implications for your customers, making it one of the most important things to manage correctly. Overall, FOSSA can be used in any context where open-source software is used and needs to be managed.
Blog Pundits: Mehul Sharma and Sandeep Rawat
OpsTree is an End-to-End DevOps Solution Provider.
Connect with Us