Binaries, Archives or Custom (vendored code, etc...)

FOSSA supports archives, vendorized dependencies and binaries through a variety of methods.

ToolQuick Import ( (fossa-cli)
Egg/WheelThrough Python support.N/A


About Archive Formats

Archive formats are a special kind of dependency in FOSSA. They are not included through a standard build tool or process, but instead represent instances where developers have packaged up pieces of (potentially-modified) 3rd-party code and checked them into your source tree.

When archives are encountered, FOSSA makes a "best-effort" attempt at resolving it to known 3rd-party code.

Resolution Strategies

Below is a table of available resolution strategies in Provided / Automated integration methods:

TypeResolution KeysSupportedProvided
CommonJS PackageResolved from package.jsonYY
Python PackageResolved from setup.pyY
MavenResolved from pom.xmlY
GenericHash of archive / source treeContact Us

Scanning Custom Directories

You can also scan custom directories that contain 3rd-party code by annotating them in your fossa-deps.yml file.

Click here to see the extensive docs on fossa-deps.yml

Path Dependencies

Path dependencies are dependencies, deliberately sourced from filesystem, as opposed to package registry. For some languages, FOSSA supports analysis of path dependencies, via license scanning target directory.

Click here to learn more about path dependencies.