Fossa supports Java and 2 of the 3 main build systems:
Project settings config is accessible and editable from the projects page (http://<fossa-host>/projects/<project>/settings/languages).
environment variables used during project build is configurable via Project Settings > Builds and Languages > General.
maven profiles and
gradle configuration file used during project build is configurable via Project Settings > Builds and Languages > Java.
Dependency Scope can be limited via Project Settings > Builds and Languages > Java (see above image) making Fossa reduce the number of dependencies it displays and uses during issue analysis. If not limited, all dependencies are included.
The Maven build system (http://maven.apache.org/) pulls in dependencies based on:
Fossa derives dependencies by building your project and seeing which dependencies are brought in. Other metadata is fetched directly from repositories.
Here's some of the metadata that's pulled in:
Optional dependencies are included in analysis and are grok'ed by Fossa. The optional dependencies are tagged as
Optional by Fossa and are not included beyond depth 1.
Dependency Scope is included in analysis and is selectable in Fossa. Choosing different project scopes allows you to choose which dependencies are included in issue scans and in the UI.
Dependencies that are excluded transitively are also grok'ed by Fossa. If a transitive dependency is expicitly excluded, Fossa will exclude that dependency from its issue scans and in the UI. If another dependency brings in the excluded transitive dependency, then it will be included. These excludes are scoped to dependencies, not projects.
The Gradle build system (https://docs.gradle.org/) pulls in dependencies based on the repository it's pulling from:
The metadata pulled in is similar to maven:
Gradle properties can be set via environment variables as defined above. Gradle property names should be prefixed with
ORG_GRADLE_PROJECT_ as per the gradle documentation.
See the Maven section for more detail.