OPEN FOSSA APP

Contents Cached in FOSSA Object Storage

FOSSA's Data Retention Policies for S3 Object Storage

Suggest Edits

FOSSA uses object storage to store files that contain licenses or copyright headers. These files can come from first-party code or from dependencies.

First-party code can be uploaded to FOSSA in a few ways:

  • FOSSA CLI:
    • Vendored Dependencies:
      • Archive Upload
      • CLI Side License Scan with Full-File Upload enabled
    • First Party License Scans with Full-File Upload enabled
  • Quick Import:
    • Repository Scanning
    • Archive Upload via the UI

Dependency data can be cached from:

  • Public registries
  • Private registries/artifactory servers
    • (Must be configured in your Organization settings)

Please note that both Archive Upload and Full-File Upload are opt-in features. In the case proprietary data is uploaded to FOSSA's servers by mistake, or if you would like your data deleted, please reach out to support as soon as possible.

Quick Import Data Retention

Quick Imported archives are stored in S3 in their entirety for 30 days.

No files, including source code, are stored without a license match. These files are copied to temporary directories during analysis and immediately deleted afterward.

Files with successful license matches are stored in S3. These files are retained indefinitely unless deletion of these files has been requested.

End-users are able to access these stored files by viewing the license matches of projects they have access to.

Data Retention for Vendored Dependencies and First-Party License Scans with Full-File Upload

By default, fossa-cli will only upload match snippets for Vendored Dependencies and First Party License scans. If your organization has opted in to use Full File Upload, then the following will apply:

Vendored Dependencies will be zipped, uploaded in their entirety, and stored in S3 for 30 days.

Whether from Vendored Dependencies, or First-Party License scans, files with successful license matches are stored in S3. These files are retained indefinitely unless deletion of these files has been requested.

End-users are able to access these stored files by viewing the license matches of projects they have access to.

On-Premises S3 Storage

The data retention timeline may vary for an on-prem instance, but the conditions for stored files will still apply.

Please reach out to your CSE if you have any questions regarding S3 storage for your on-prem instance.

Updated 4 months ago