Scanning Buildroot Projects

Scan Buildroot-based embedded Linux projects for license and security compliance with FOSSA.

3 min readUpdated Jul 9, 2026

Overview

This guide explains how to integrate FOSSA into a Buildroot environment for license and security compliance scanning. By leveraging Buildroot's make show-info feature, you extract package dependency information and generate a fossa-deps file that FOSSA can analyze.

Note

  • A working Buildroot environment.
  • The FOSSA CLI installed. See Installing the FOSSA CLI.
  • Python 3 (to run the conversion script).
  • Basic familiarity with running Buildroot commands.
  1. 1

    Generate package information from Buildroot

    From your Buildroot project directory, export package metadata to JSON:

    Shell
    cd /path/to/your/buildroot-projectmake show-info > buildroot_deps.json

    This produces buildroot_deps.json containing package names, versions, some licenses, and dependencies.

  2. 2

    Convert Buildroot dependencies to FOSSA format

    FOSSA can enhance the information extracted from Buildroot by incorporating additional insights. Save the following script as generate_fossa_deps.py in your Buildroot directory. It reads the JSON and writes a fossa-deps.yml with referenced and custom dependencies:

    Python
    #!/usr/bin/env python3 import jsonimport argparseimport yaml def parse_arguments():    parser = argparse.ArgumentParser(description='Generate fossa-deps.yml from Buildroot package info.')    parser.add_argument('input_file', type=str, help='Path to the JSON file containing package information.')    return parser.parse_args() def load_package_info(file_path):    with open(file_path, 'r') as file:        return json.load(file) def map_to_fossa_type(package_name):    # Define mapping rules from Buildroot packages to FOSSA dependency types    if package_name.startswith('python-'):        return 'pypi'    elif package_name.startswith('ruby-'):        return 'gem'    else:        return 'custom' def transform_package_name(package_name):    # Remove 'python-' if the package name starts with it    if package_name.startswith('python-'):        return package_name.replace('python-', '', 1)    return package_name def generate_fossa_deps(packages):    referenced_deps = []    custom_deps = []     for pkg_name, pkg_info in packages.items():        transformed_name = transform_package_name(pkg_name)  # Apply name transformation        fossa_type = map_to_fossa_type(pkg_name)         # Get version and ensure it is not empty or blank        version = pkg_info.get('version', None)        if not version or str(version).strip() == "":            version = '1.0'  # Set default version if empty         dep_entry = {            'name': transformed_name,  # Use transformed package name            'version': version        }        if fossa_type == 'custom':            dep_entry['license'] = pkg_info.get('licenses', 'unknown')            custom_deps.append(dep_entry)        else:            dep_entry['type'] = fossa_type            referenced_deps.append(dep_entry)     fossa_deps = {}    if referenced_deps:        fossa_deps['referenced-dependencies'] = referenced_deps    if custom_deps:        fossa_deps['custom-dependencies'] = custom_deps     return fossa_deps def main():    args = parse_arguments()    packages = load_package_info(args.input_file)    fossa_deps = generate_fossa_deps(packages)     with open('fossa-deps.yml', 'w') as f:        yaml.dump(fossa_deps, f, default_flow_style=False)     print('fossa-deps.yml has been generated.') if __name__ == '__main__':    main()
  3. 3

    Run the script to generate fossa-deps.yml

    Make the script executable and run it against the generated JSON:

    Shell
    chmod +x generate_fossa_deps.py./generate_fossa_deps.py buildroot_deps.json

    This writes a fossa-deps.yml file in the current directory.

  4. 4

    Run the FOSSA analysis

    With fossa-deps.yml in place, analyze your Buildroot dependencies:

    Shell
    fossa analyze

    FOSSA scans the dependencies listed in fossa-deps.yml for license compliance and security vulnerabilities.

  5. 5

    View the results

    Open the FOSSA dashboard, review license compliance and security issues, and address any flagged items.

Troubleshooting

IssueSolution
make show-info failsEnsure Buildroot is properly set up and built before running the command.
fossa analyze does not detect dependenciesCheck that fossa-deps.yml is correctly formatted by inspecting it manually.
Missing license informationBuildroot packages may not always specify a license. Add it manually if known.
© 2026 FOSSA, Inc.support@fossa.com