The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Generating Attributions

Whenever you use open source components, their licenses will require you to give attribution to their authors in specific ways. To comply with these obligations, you can generate compliance documentation automatically using FOSSA.

These documents not only disclose fully-compliant attribution and copyright notices, but are useful for a number of events:

  1. Security vulnerability reviews
  2. Customer-facing Bill-of-Materials for sales enablement, partnerships or OEMs
  3. Updated audit reports for due diligence events

To see an example live of how one of our customers uses FOSSA's reports, check out Docker's Components & Licenses Page.

Generating Attributions / Bill of Materials

Visit a project page and navigate to the Reports tab to get to the Project Attribution Tool:

On this page, you can preview what your report will look like. As long as your issues are resolved, FOSSA will generate audit-ready attributions for you to distribute to your users that include raw copyright notices directly from the code.

👍

Premium Feature

On the free version, FOSSA will only provide limited versions of all compliance reports.

Customizing an Attribution Notice/Bill of Materials

Step 1: Select Your Reporting Format

FOSSA supports six different export formats: HTML, Markdown, PDF, CSV, Plain Text, and SPDX.

Not sure what format is right for you?

  • If you would like to host your attribution notice on your website, we recommend leveraging our HTML Report
  • If you are embedding attribution within documentation or within your source code, we recommend using Plain Text

Step 2: Select the Components of Your Report

FOSSA offers the ability to customize the types of information displayed. Within the Reports tab you can decide whether you want to include:

  • Project Declared License: the license of your proprietary project/product
  • License Summary: an overview of all the licenses found in your source code. Note: this is only available through our Repository Scan integrations (Github, Gitlab)
  • Direct Dependencies: A list of all the first level dependencies, explicitly included in your proprietary software
  • Deep Dependencies: A list of all the deep or transitive dependencies included in your project. These are open source packages leveraged by other open source projects you are using
  • Custom Text: This allows you to add text to the header of your report to include things like contact information and links to GPL source code disclosures. Note: this functionality is only available in the HTML format

Step 3: Select the Open Source Package Information to Include

FOSSA collects information about every open source component including information like the package authors, the package URL, and more. You can customize the information about each open source component by clicking edit dependency information. The following information is available:

Property

Description

Package

Selecting package displays the name and version of the open source component

Authors

Selecting authors displays the creators of the package. In most cases, this information is pulled from the package registry

Description

Selecting description includes information regarding what the package's functionality is. In most cases, this information is pulled from the package registry

Declared License

Selecting declared licenses includes licenses FOSSA has identified in License and Readme files.

Discovered License(s)

Selecting discovered licenses includes all licenses FOSSA has identified. Discovered Licenses also includes any edited licenses

License Header

Selecting license header includes the exact license text FOSSA has identified in the dependency source code

License Template

Selecting license template includes a templated text of the license

Package Manager

Selecting package manager includes the package manager the dependency was sourced from

Package Homepage

Selecting package homepage includes the link package's homepage whether it is a Github repo, stand-a-lone website, or hosted by a package manager

Package Download URL

Selecting package download URL includes a link to the exact dependency version included in your product. Note: this information is not available for all package types

Dependency Paths

Selecting dependency paths includes information displaying how each dependency is being pulled into your codebase.

Issue Resolution Notes

Selecting issue resolution notes displays any comments you leave when you review flagged components within FOSSA

Recommended*

📘

As a bare minimum, we recommend keeping "Package" and "Declared License" checked for attributions.

Step 4: Publish Your Report

There are two avenues to publishing a FOSSA report:

  • You can download the report to your computer
  • You can have FOSSA host your reports. Check out Wolters Kluwer for an example!

Keeping Attributions Updated

It's critical to keep compliance documentation up to date. Since modern development moves so quickly, open source attributions can become stale almost immediately after a release.

To keep reports updated, we recommend integrating FOSSA into your development pipeline or enabling recurring updates / scans. That way, a certified attribution will be available not only at each release, but each commit as well.

If you are using FOSSA's hosted reports, they will automatically stay updated with your latest changes and releases. If you are relying on downloaded attributions, you can use our API to fetch the latest file as part of your release process.

Modifying Report Information

Removing a Dependency

In the case that FOSSA identifies an internal or testing library, you may want to remove a dependency from your Bill of Materials or Attribution notice. To remove a dependency from a report:

  1. Go to the Dependency Tab
  2. Search for the Dependency you need to remove from the report by name
  3. Click the Ignore icon

📘

Note: Ignoring the dependency also removes any issues associated with the dependency. You can un-ignore any dependency under project settings.

Enriching Package Metadata

To add additional information to your components such as an updated author's list or to add an internal description:

  1. Go to the Dependency Tab
  2. Search for the Dependency
  3. Click View/Edit

📘

Note: This only updates the dependency within the project, not across your entire portfolio.

Editing Description/Authors

Enter the updated description and/or modify the authors and click save

Editing the License

To edit a license click edit next to the license in question from here you can:

  1. Select View to see the files that triggered the license identification
  2. Select Change to update the name of the license
  3. Select Delete to remove this license from this dependency

Editing Copyright Data or Full License Text

To update the copyright information or display customized license text:

  1. Click Add Raw Text
  2. Add the new Copyright or License text you'd like the report to display
  3. Click Save

Adding a License to the Full License List

If there is another License you need to append to the Full License List

  1. Go to the licenses tab
  2. Click Add
  1. Enter in the license name
  1. Customize Any Copyright Information as well as license text URL by entering in customized text or use default license templates by clicking Confirm
  1. Click Confirm

For more questions please contact [email protected]

Updated 10 months ago


Generating Attributions


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.