The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Bitbucket Server (Stash)

This guide is for your Bitbucket Server/Atlassian Stash admin to set up FOSSA On-Prem's access to your internal code. Note: This was written for Bitbucket Server v4.0.6+

Set up Application Link

You first need to add an application link so that users with a login on Bitbucket Server can view their projects through FOSSA.

  1. Navigate to your local Bitbucket Server > Settings > Application Links.
  1. Create an Application Link to FOSSA's internal IP
Fill in "fossa" for all options:
  1. Go to the new link and Edit > Incoming Authentication
  1. Fill in the following settings and hit "Save" (leaving the rest blank):
Consumer Key: fossa
Consumer Name: fossa
Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB

Now users can successfully connect their Bitbucket Server accounts with FOSSA.

Add 'fossabot'

FOSSA currently requires a companion bot account on your Bitbucket Server instance with global read access to analyze all internal repositories. This will be replaced in future updates, but is currently required for FOSSA to fetch code.

  1. Add fossabot user to Bitbucket Server

Go to Settings > Accounts > Users > Create User.

For username/password, use the bitbucket_server__credentials config in FOSSA's config.env (default below):

bitbucket_server__credentials__basic__username=fossabot
bitbucket_server__credentials__basic__password=fossa123
  1. Ensure fossabot has global read access

    fossabot needs to be able to clone any repository in your instance of Bitbucket Server. The easiest way of doing this is giving the account admin privelages in Settings > Accounts > Global Permissions:

If you need to custom-configure a role for `fossabot`, make sure the account still has global read afterwards (i.e. try cloning repos across different projects as `fossabot`).

Now you should be all set up! Users on FOSSA should be able browse and import their repositories on Bitbucket Server through Bulk Import.

NOTE: fossabot is not accessible to average users of FOSSA, but serves as an internal proxy for FOSSA to fetch code. Normal users will only be able to browse and import what they have access to normally through Bitbucket Server.

Configuring FOSSA

If you've set up this configuration before installing FOSSA, you can ignore this step and use the default setup.sh prompts to complete the FOSSA install.

Otherwise, ensure your config.env file on your FOSSA box has the following entries:

# Replace with your Bitbucket base URL, including protocol
bitbucket_server__base_url={$BITBUCKET_BASE_URL} 
bitbucket_server__credentials__oauth2__client_id=fossa
bitbucket_server__credentials__basic__username=fossabot
bitbucket_server__credentials__basic__password=fossa123

Automatic Updates

After importing, automatic updates need to be configured manually in two places for each imported project.

  1. On FOSSA via Project > Settings > Update Hooks, select "Select Update Method...", choose Webhook and hit Save Changes.

  2. On Bitbucket Server, install (if not done already) the webhooks module and enable them on each imported project. View guide here.

  3. Copy & Paste Webhook Update URL from the first step to the webhooks in Bitbucket under Post-Receive Webhooks > Enable.

Fossa On-Prem bitbucket server configuration without ssh cloning

Create a Public key

Modify Config.json

openssl genrsa -out privkey.pem 2048
openssl rsa -pubout -in privkey.pem -out pubkey.pem
Config.json 
bitbucket.key: |
  -----BEGIN RSA PRIVATE KEY-----
  MIIEpAIBAAKCAQEAnFz3C4zivnXaOCSAMxtXL4bEe7RQTEboUi3JV62o+V5LKxJn
  1c0Mp+0SSHS+06i7UPkcCtblZbBMXGupjkMyJ+TGXIKFXdwdY8MyohVtgTcTcKFL
  HiW9bWbSx5x7zIqS78rNQWxsrBEJZgjDsfALtKXV/t7I1G1tEH84nEwF9D8VP/B8
  72xP6vSX2rlYX0IEh9ampEnU+riFnqpYR7CmMkeyrSKOsi6TuqachYIb9qjgNX/o
  EbNAjLcDdH28S/5nkmIEll+vhVbgeL8DJOt3gufSujE16EgqQN8UFfwRXyoAW1G7
  SRBdvDoqu0J5sZvIUpcA5/5tf6EZV0+iTlfcxQIDAQABAoIBADbxI41Xb8TkvEzF
  5pYOoU/91sRw01Y6BB/8HqdESf91down53xklHHdB3OWMgdFXqxRG91jLS/SBsLi
  wa1PRyxlYp3W7u3QDjOjvwLc7KFerOICitaJBEqQureQ8J8qgf7oD79RTc4YHmlP
  4xN++V38d3ka5w5ddNk7GrUwsVbk1ur13X+zpccntmwGUx/oXQxNmPF7TKUcKDmy
  sY2zeOyK1D0I63CHvxxZR3xrUL1jvyEtFdcSNIAwS8kIb+QDlz5O7eFQbhcq4TKA
  iuK9PMBdQ4GG4H5KNmQgjluT6WDO0yfncmOkGPcRi2O/W3UVNx9znQikTXeulR/u
  FWbYgAECgYEAz7t6urgSAUV6GrdQbLbegM26VJOWIOeuJlKzKo0NT03IpyKGgY9Y
  zFc/5c2X0Q7BPOA5Rjw+l35w+flGHs6el0t4AhBA0pD+mZFsJ/rlIlngNnA06a5N
  LXVLgfsF70jJvfu6T2/L0B08mUpvI3RD41mCYdN7FzkuF3HkMoA4+AECgYEAwLHl
  rbMBIhppZU59m4CYjcTuaohckVczT+PsYZ5M/6WfL71VkJxUYdK+Z9vE+K1sref4
  3ofFMirQG/cOmxVezJCpZXYs6+Zqamr5D4KxGAtCLQACaW3BTjB8MpZg2ENf/iya
  SUNXACJoqctrg4wWhlaniXdOIVvhz8w3IMahBMUCgYEAzG307rHczjGAY7BJTmN8
  fod3OmpvkPxPDtnOBi7/jS7AK3K3qeLXAWlPsahtIkiB9JW455y8ADxnlCkzT3gI
  7F1Rwb4a/N3CIIDTTlkDi5WlKA2ulNV6kCThZQ4THhOkrfl/tVMQ4UMUcsqkquBt
  OtzIidskRIt6B4qGhwhWiAECgYEApKadqald24UT79N8sqXUNLdEPVVdO3d2Sdpo
  fhUkmAEuHz254kIiPCA2QEpiaVbOmV6woX0Du9UnU+3r1goRodwuUpsC0WNmJJ5Z
  SK6UogXkuszaQrncxfHZ/ePOxpvzZx03jEh1C5FbO1KtAI9wI8Phji2aXhjDv6ow
  pNn0dj0CgYAp8meFNCQouZRfnwpytOzt6eQUziliYYAVPJZvM9LfhwPua20dRAJx
  Sx9v+duVnOePkWNRTOL4meF6zlxq9sCsuO8qtj0X2qYHzts+UP7HtM3yXNtOsxUZ
  iic9TOz4cCyl2vKaXm8RJ/CxQIxkWmxzOsHigpH8VrzHWugIRQMnyw==
  -----END RSA PRIVATE KEY-----
  
  "bitbucket_server": {
        "enabled": true,
        "base_url": "http://ec2-3-135-246-139.us-east-2.compute.amazonaws.com:8080",
        "credentials": {
          "basic": {
            "username": "fossabot",
            "password": "fossa123"
          },
          "oauth2": {
            "client_id": "fossa",
            "private_key": "/etc/fossa/config/bitbucket.key"
          }
        }
      },

If you have any problems, contact support at [email protected]. This guide was written for Bitbucket Server v4.0.6+.

Updated 21 days ago

Bitbucket Server (Stash)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.