Today, FOSSA is open sourcing our dependency analysis infrastructure on GitHub. Now, everyone can participate and have access to the best tools to get dependency data out of any codebase, no matter how complex it is.

Motivations

Open source is critical infrastructure to any software team, yet today it’s still difficult to get accurate and reliable dependency information at scale across your repositories.

Over the past year, we’ve helped over 3000 teams manage their open source dependencies. After working with everyone from trendy open source projects to heavyweight financial institutions, we’ve learned a few major lessons that drove our design.

Open Source

Our team has already invested a huge amount of effort to model the ways people include third party code. However, at the end of the day everyone uses open source differently.

Even though in many languages there’s some conventions and structure towards dependencies, you will always have plenty of edge cases due to the breadth of ways people share code. That’s why it’s critical that this is an open and collaborative project.

Today, we’re starting by releasing integrations to over 15 of the most popular build systems. However, fossa-cli's role is to eventually encompass all of the weird ways people include open source packages. For example, fossa-cli launches with support for custom-vendored archive formats.

If you have a weird way of using open source, share it and shoot us a PR!

Dynamic Analysis

Software builds are unpredictable, complicated and highly configured. Large codebases often use multiple builds systems in conjunction while employing configuration tricks to boost performance, change behavior or sneak in third party code.

In order to handle the performance, complexity and reliability of the modern monoliths, we have to leverage the existing build environment. A huge focus of fossa-cli is directed towards dynamic analysis, or in other words, asking a running build system / environment for dependency data.

Learn more about the technical motivations behind this project here.

Friendly & Portable

User experience was our final priority — the CLI had to naturally fit into a developer’s workflow. In order to accomplish this, we prioritized:

  1. Portability: a small, single, cross-platform binary that could be run from a dev machine, CI, or anywhere a build can succeed
  2. CI-Ready: naturally plug into CI — bundle in automation to generate reports, license notices and run tests against dependencies that can fail CI tasks; guaranteed reliability and performance
  3. Zero Configuration: ready to go out of the box with just fossa init, designed to work even for complex monoliths

This is just the start; over time we will continue to port more of our existing integrations and architecture to the CLI.

Introducing Provided Builds

Along with making fossa-cli available, we are also introducing a new way of integrating your repositories with FOSSA called Provided Builds.

Provided Builds allows users to upload dependency data using fossa-cli directly from your build environment to app.fossa.io.

By taking advantage of your build, we can:

  1. Eliminate false positives and dramatically increase accuracy of dependency reports
  2. Easily and securely integrate with complex codebases; no code access or configuration required
  3. Achieve high performance on large builds and naturally integrate with CI

To get started, check out our docs on Provided Builds here!

We’d love to hear your feedback on these new options. Please open an issue on GitHub or send us a PR with any comments or questions.