Dependencies
The Dependencies page shows you all of the dependencies included for a given project that has been uploaded to FOSSA. This page can be used to determine exactly how a dependency has been included in a project and give developers guidance if they need to remove a transitive dependency.
Direct Dependencies
Direct Dependencies are directly included in your project. The most common reason is that a developer has actively chosen to use this open-source dependency in their project. These are most often found in project manifest files such as requirements files in Python.
Transitive Dependencies
Transitive dependencies are included in your project as the result of a direct dependency including another dependency. They are often unrecognized by the developer who chose to include the direct dependency and are the result of a direct dependency's developer using other dependencies. In order to determine how these dependencies are included we have created the "Path" button which appears when your mouse moves over a dependency:
The Paths button appears on the right side which makes the Relationships view appear.
The Relationships tab shows a user all of the ways the deep dependency was included in the project. This allows you to trace the path back to the direct dependency which was chosen for the project.
Unknown License Dependencies
Dependencies which FOSSA cannot find or access are listed within their respective dependency depth (Direct or Transitive) with unknown license designation: FOSSA was unable to perform a license scan on this dependency. If it's behind a private registry or auth, you may need to configure FOSSA's access and rebuild this project. There are a few reasons why dependencies are listed as unknown and a few things we can do to fix this:
Authentication - The most common reason for this issue is that the dependency is located in a private dependency repository such as Artifactory or Nexus. If you believe this is the cause, navigate to the Languages page and enter authentication for the private repositories you are using.
Incorrect Discovery - If FOSSA discovers an incorrectly formatted dependency in a manifest file, FOSSA will be unable to find its location. Dependencies can also be unknown if internal sub-projects are discovered as dependencies (occasionally seen in gradle and golang projects).
IMPORTANT
FOSSA will always provide the full detected dependency graph even when unknown license dependencies are detected.
Meaning even if we cannot access that package, thus determine the license, we maintain the dependency relationships and can expose compliance or vulnerability information to accessible downstream packages.
Unknown Dependencies Bug
If you do not believe that either of these cases are the reason for seeing an Unknown Dependency please file a bug report to [email protected] and include as much information as possible.
In-progress Dependencies
In-progress Dependencies have successfully been found by FOSSA and are in the process of being analyzed. Dependencies can be in four possible states as they progress from being in-progress to complete:
Queued - The dependency has been found and FOSSA is waiting for resources to analyze it.
Analyzing - The dependency is being analyzed for licenses and transitive dependencies. The dependency will become a Direct or Transitive Dependency if this succeeds, otherwise it will be listed as Failed.
Failed - This dependency was unable to be analyzed. The option to "Queue Build" will appear on the right which will retry analysis.
Analyzed/Success This dependency has been successfully analyzed and FOSSA will display any applicable license compliance, vulnerability, and code quality detections.
Failed Dependency Bug
Failed dependencies are uncommon and there are a few reasons for one to appear. The most likely reason is that FOSSA was unable to download the dependency. File a bug report to [email protected] if you are able to download the dependency yourself and are still unable to determine why the dependency cannot be scanned. Please, first attempt to reanalyze the dependency by selecting "Queue Build". Include the logs found when selecting "View Build" with the bug report.
For help with manually resolving a missing or incomplete dependency, please visit our "Incomplete Dependencies" guide.
Filtering Options
You have multiple filters to refine your search.
Filter Groups
License
| Filter Type | Description |
|---|---|
| License Filter | Filter to dependencies that contain the selected license |
Source
| Filter Type | Description |
|---|---|
| Ticketed | Filter to dependencies detected by a specific source. Including package managers, private URLs, user-defined, or specific package ecosystems. |
Status
| Filter Type | Description |
|---|---|
| In-progress | Filter to dependencies that are either Queued or Analyzing |
| Analyzed | Filter to dependencies that have successfully completed analysis |
| Failed | Filter to dependencies that have failed analysis |
Flagged
| Filter Type | Description |
|---|---|
| Flagged | Filter to dependencies that contain a license, security, or code quality issue |
Editing a Dependency
FOSSA lets you easily edit a dependency for your Organization by adding or removing licenses, or even changing metadata. Learn how, in our guide on "Editing a Dependency"
Adding Custom Licenses
If the license you're looking for isn't in our database (perhaps a proprietary third-party license), you can add a custom license by searching for Custom License. First, hover over the dependency with the custom license, and select "View/Edit"
On the window that opens, select "Add a License Group" and type Custom License into the "Select License" box.
Select the option and then enter the license details in the boxes that appear:
Hit "Add" and then "Save Changes." When this dependency is found in projects in the future, this custom license will already be applied.
Updated 10 months ago