Dependencies

The Dependencies page has been recently updated and shows you all of the dependencies included for a given FOSSA project. This page can be used to determine exactly how a dependency has been included in a project, find dependency metadata and give developers guidance if they need to remove a dependency.

Dependency Metadata

During component analysis, FOSSA will capture as much information as possible regarding the dependencies used by an analyzed project. Please review the below chart for all potential metadata captured, as well as whether that information is displayed in the dependencies row.

MetadataDescription
Name (title)The name or title of the dependency
VersionThe resolved version of a dependency. Note this may be a commit hash for certain ecosystems rather than a semantic version.
DepthQualitative depth on a dependency's usage. Depth will either be Direct, directly included in your project, or Transitive, transitively included in your project by another dependency,.
Package manager (ecosystem)The package manager, software ecosystem, or in some cases programming language managing the detected package
Package LocatorInternal unique identifier to fully qualify a package or component. Note this is useful information when a package Name/title is used across multiple unique packages or to distinguish public components from private forks.
Origin Path (Direct + Transitive)The filepath to where FOSSA found the dependency for direct dependencies or the filepath to the root/parent direct dependency for all leaf/child transitive dependencies
Dependency Path (Transitive only)For transitive dependencies, the "Dependency Path" is the ordered sequence of dependent components from root to leaf.

Example: My project directly uses dependency jest 18.1.0 which uses dependency jest-cli 18.1.0 which uses dependency node-notifier 4.6.1

My Dependency path for node-notifier 4.6.1 is jest 18.1.0 > jest-cli 18.1.0> node-notifier 4.6.1
Licenses The detected licenses for a component. Licenses with any issues as defined by the project's licensing policy will be highlighted accordingly.
IssuesAny license, security, or quality issues detected by the dependency

Direct Dependencies

Direct Dependencies are directly included in your project. The most common reason is that a developer has actively chosen to use this open-source dependency in their project. These are most often found in project manifest files such as requirements files in Python.

Transitive Dependencies

Transitive dependencies are included in your project as the result of a direct dependency including another dependency. They are often unrecognized by the developer who chose to include the direct dependency and are the result of a direct dependency's developer using other dependencies. In order to determine how these dependencies are included we have created the "View Path" button which appears at the end of the dependency row.

Dependency Status

The above metadata for a dependency will be included if a dependency is successfully analyzed. Each dependency will have one of the following statuses Analyzed, In-progress, Failed or Unknown, described in more detail below:

Analyzed

An analyzed dependency is a dependency that has been successfully downloaded and analyzed by FOSSA. An analyzed dependency will include all applicable dependency metadata.

In-progress Dependencies

In-progress Dependencies have successfully been found by FOSSA and are in the process of being analyzed. Dependencies can be in two possible in-progress statuses:

In-progress StatusesDescription
QueuedFOSSA is waiting for resources to analyze a detected dependency
AnalyzingThe dependency is being analyzed for licenses, transitive dependencies, vulnerabilities, and Quality issues.

Failed Dependencies

From there a Dependency will either be analyzed successfully and include the metadata as described above, or the dependency will fail to analyze.

🚧

Failed Dependency

Failed dependencies are uncommon and there are a few reasons for one to appear. The most likely reason is that FOSSA was unable to download the dependency. File a bug report to [email protected] if you are able to download the dependency yourself and are still unable to determine why the dependency cannot be scanned. Please, first attempt to reanalyze the dependency by selecting "Queue Build". Include the logs found when selecting "View Build" with the bug report.

1388

Failed - This dependency was unable to be analyzed. The option to "Queue Build" will appear on the right which will retry analysis.

Unknown License Dependencies

Dependencies which FOSSA cannot find or access are listed within their respective dependency depth (Direct or Transitive) with unknown license designation: FOSSA was unable to perform a license scan on this dependency. If it's behind a private registry or auth, you may need to configure FOSSA's access and rebuild this project. There are a few reasons why dependencies are listed as unknown and a few things we can do to fix this:

Authentication - The most common reason for this issue is that the dependency is located in a private dependency repository such as Artifactory or Nexus. If you believe this is the cause, navigate to the Languages page and enter authentication for the private repositories you are using.

Incorrect Discovery - If FOSSA discovers an incorrectly formatted dependency in a manifest file, FOSSA will be unable to find its location. Dependencies can also be unknown if internal sub-projects are discovered as dependencies (occasionally seen in gradle and golang projects).

❗️

IMPORTANT

FOSSA will always provide the full detected dependency graph even when unknown license dependencies are detected.

Meaning even if we cannot access that package, thus determine the license, we maintain the dependency relationships and can expose compliance or vulnerability information to accessible downstream packages.

📘

Unknown Dependencies

If you do not believe that either of these cases are the reason for seeing an Unknown Dependency please file a bug report to [email protected] and include as much information as possible.

For help with manually resolving a missing or incomplete dependency, please visit our "Incomplete Dependencies" guide.

Filtering Options

You have multiple filters to refine your search.

Filter Groups

Licenses

Filter TypeDescription
License FilterFilter to dependencies that contain the selected license

Package Managers

Filter TypeDescription
Package ManagerFilter to dependencies detected by a specific ecosystem. Including package managers, private URLs, user-defined, or specific package ecosystems.

Status

Filter TypeDescription
In-progressFilter to dependencies that are either Queued or Analyzing
AnalyzedFilter to dependencies that have successfully completed analysis
FailedFilter to dependencies that have failed analysis
UnknownFilter to dependency that have a status of unknown due to being unable to locate the package

Flagged

Filter TypeDescription
IssuesFilter to dependencies that contain a license, security, or code quality issue

Editing a Dependency

FOSSA lets you easily edit a dependency for your Organization by adding or removing licenses, or even changing metadata. Learn how, in our guide on "Editing a Dependency"

Adding Custom Licenses

If the license you're looking for isn't in our database (perhaps a proprietary third-party license), you can add a custom license by searching for Custom License. First, hover over the dependency with the custom license, and select "View/Edit"

On the window that opens, select "Add a License Group" and type Custom License into the "Select License" box.

Select the option and then enter the license details in the boxes that appear:

Hit "Add" and then "Save Changes." When this dependency is found in projects in the future, this custom license will already be applied.

Notice Files

FOSSA can detect and reproduce Notice files. Notice files are detected by their filename. This detection is independent of their position in the directory tree.

FOSSA will analyze for, case-insensitively, Notice file(s) matching notice.txt or third-party-notices.txt or *_notice.txt.

You can review, edit, and ignore Notice files detected in our database, which will be surfaced in the Notice Files section. First, select the dependency name with the Notice file, or select Edit Package from the action menu.

Review and Edit Notice Files

Select Edit , within the Notice files section, to review the detected Notice file(s). Here you can review or change the raw Notice files text or copyrights that will be used to populate the Attribution reports.

Ignore Notice Files

Select Ignore if you do not want to reproduce the Notice file(s) text or copyrights within your Attribution reports. A user may select Stop Ignoring to return reproducing the Notice files(s) text.

📘

Dependency Corrections

Similarly to other dependency edits (licenses, copyrights, metadata), Notice file(s) edits are scoped to all projects and all versions