fossa-cli

module

v0.7.0-beta.8 Latest Latest Go to latest Published: Jul 30, 2018 License: MPL-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/fossas/fossa-cli

README ¶

FOSSA

fossa-cli - Fast, portable and reliable dependency analysis for any codebase.

Background

fossa analyzes complex codebases to generate dependency reports and license notices. By leveraging existing build environments, it can generate fast and highly-accurate results.

Features:

Supports over 20+ languages & environments (JavaScript, Java, Ruby, Python, Golang, PHP, .NET, etc...)
Auto-configures for monoliths; instantly handles multiple builds in large codebases
Fast & portable; a cross-platform binary you can drop into CI or dev machines
Generates offline documentation for license notices & third-party attributions
Tests dependencies against license violations, audits and vulnerabilities (coming soon!) by integrating with https://fossa.io

Click here to learn more about the reasons and technical details behind this project.

Installation

Install on MacOS (Darwin) or Linux amd6 using curl:

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash

Install on Windows using cmd.exe:

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install.ps1'))"

These commands will execute scripts to fetch and install the latest Github Release.

Quick Start

Run fossa -o in your repo directory to output a dependency report in JSON:

[
  {
    "Name": "fossa-cli",
    "Type": "golang",
    "Manifest": "github.com/fossas/fossa-cli/cmd/fossa",
    "Build": {
      "Dependencies": [
        {
          "locator": "go+github.com/rhysd/go-github-selfupdate$d5c53b8d0552a7bf6b36457cd458d27c80e0210b",
          "data": {
            "name": "github.com/rhysd/go-github-selfupdate",
            "version": "d5c53b8d0552a7bf6b36457cd458d27c80e0210b"
          }
        },
        ...
      ],
      ...
    }
  },
  ...
]

Run fossa and provide a FOSSA API Key to get a rich, hosted report:

export FOSSA_API_KEY="YOUR_API_KEY_HERE"

# Now, you can just run `fossa`!
fossa

# Output:
# ==========================================================
#
#    View FOSSA Report: https://app.fossa.io/{YOUR_LINK}
#
# ==========================================================

Configuration

Initialize configuation and scan for supported modules:

fossa init # writes to `.fossa.yml`

This will initialize a .fossa.yml file that looks like this:

version: 1

cli:
  server: https://app.fossa.io
  project: github.com/fossas/fossa-cli

analyze:
  modules:
    - name: fossa-cli
      path: ./cmd/fossa
      type: go

# ...

Check out our User Guide to learn about editing this file.

After configuration, you can now preview and upload new results:

# Run FOSSA analysis and preview the results we're going to upload
fossa -o

# Run FOSSA and upload results
# Going forward, you only need to run this one-liner
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa

Integrating with CI

Testing for License Violations

If you've integrated with https://fossa.io, you can use fossa test to fail builds against your FOSSA scan status.

# Exit with a failing status and dump an issue report to stderr
# if your project fails its license scan
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa test

# Output:
# --------------------------
# - exit status (1)
#
# * FOSSA discovered 7 license issue(s) in your dependencies:
#
# UNLICENSED_DEPENDENCY (3)
# * pod+FBSnapshotTestCase$1.8.1
# * pod+FBSnapshotTestCase$2.1.4
# * pod+Then$2.1.0
#
# POLICY_FLAG (4)
# * mvn+com.fasterxml.jackson.core:jackson-core$2.2.3
# * npm+xmldom$0.1.27
# * pod+UICKeyChainStore$1.0.5
# * gem+json$1.7.7
#
# ✖ FOSSA license scan failed: 7 issue(s) found.

Generating License Notices

To generate a license notice with each CI build, you can use the fossa report command:

# write a license notice to NOTICE.txt
fossa report --type licenses > NOTICE.txt

See this repo's NOTICE file for an example.

License data is provided by https://fossa.io's 500GB open source registry.

Reference

Check out the User Guide for more details.

Development

View our Contribution Guidelines to get started.

Join our public Slack Channel.

If you're in San Francisco, come to our monthly Open Source Happy Hour to meet us F2F!

License

fossa is Open Source and licensed under the MPL-2.0.

You are free to use fossa for commercial or personal purposes. Enjoy!

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
analyzers Package analyzers defines analyzers for various package types.	Package analyzers defines analyzers for various package types.
ant
bower Package bower implements analyzers for the Bower package manager.	Package bower implements analyzers for the Bower package manager.
cocoapods Package cocoapods implements Cocoapods analysis.	Package cocoapods implements Cocoapods analysis.
golang Package golang implements the analyzer for Go.	Package golang implements the analyzer for Go.
golang/resolver Package resolver provides Go resolvers.	Package resolver provides Go resolvers.
gradle Package gradle implements analyzers for Gradle.	Package gradle implements analyzers for Gradle.
maven Package maven implements Maven analysis.	Package maven implements Maven analysis.
nodejs Package nodejs provides analyzers for Node.js projects.	Package nodejs provides analyzers for Node.js projects.
nuget Package nuget implements NuGet analysis.	Package nuget implements NuGet analysis.
php Package php implements analyzers for PHP.	Package php implements analyzers for PHP.
python Package python provides analysers for Python projects.	Package python provides analysers for Python projects.
ruby Package ruby provides analysers for Ruby projects.	Package ruby provides analysers for Ruby projects.
scala Package scala implements Scala analysis.	Package scala implements Scala analysis.
api Package api provides low-level primitives for HTTP APIs.	Package api provides low-level primitives for HTTP APIs.
fossa Package fossa provides a high-level interface to the FOSSA API (by default, located at https://app.fossa.io).	Package fossa provides a high-level interface to the FOSSA API (by default, located at https://app.fossa.io).
buildtools
bower
bundler
cocoapods
composer
dep Package dep provides functions for working with the dep tool.	Package dep provides functions for working with the dep tool.
dotnet
gdm Package gdm implements a Go package resolver for the gdm tool.	Package gdm implements a Go package resolver for the gdm tool.
glide Package glide provides functions for working with the glide tool.	Package glide provides functions for working with the glide tool.
gocmd Package gocmd provides functions for working with the Go tool.	Package gocmd provides functions for working with the Go tool.
godep Package godep provides functions for working with the godep tool.	Package godep provides functions for working with the godep tool.
govendor Package govendor provides tools for working with govendor.	Package govendor provides tools for working with govendor.
gpm
gradle
maven
npm
pip
sbt
vndr
yarn
cmd
fossa
fossa/cmd/analyze
fossa/cmd/build
fossa/cmd/init Package init implements `fossa init`.	Package init implements `fossa init`.
fossa/cmd/report
fossa/cmd/test
fossa/cmd/update
fossa/cmd/upload
fossa/cmdutil Package cmdutil provides common utilities for subcommands.	Package cmdutil provides common utilities for subcommands.
fossa/flags
fossa/version
config Package config implements application-level configuration functionality.	Package config implements application-level configuration functionality.
file.v1
file.v2
errutil Package errutil contains common application-level errors.	Package errutil contains common application-level errors.
exec
files Package files implements utility routines for finding and reading files.	Package files implements utility routines for finding and reading files.
graph
log Package log implements application-level logging.	Package log implements application-level logging.
module Package module defines a FOSSA CLI module.	Package module defines a FOSSA CLI module.
monad Package monad implements common monomorphic monads.	Package monad implements common monomorphic monads.
pkg Package pkg defines a generic software package.	Package pkg defines a generic software package.
vcs Package vcs implements functions for interacting with version control systems.	Package vcs implements functions for interacting with version control systems.