Whenever you use open source components, their licenses will require you to give attribution to their authors in specific ways. To comply with these obligations, you can generate compliance documentation automatically using FOSSA.
These documents not only disclose fully-compliant attribution and copyright notices, but are useful for a number of events:
- Security vulnerability reviews
- Customer-facing Bill-of-Materials for sales enablement, partnerships or OEMs
- Updated audit reports for due diligence events
To see an example live of how one of our customers uses FOSSA's reports, check out Slack's Desktop Components & Licenses Page.
Software Bill of Material (SBOM) Generation via CLI
The FOSSA CLI, as of v3.1.5, is also capable of generating SBOM reports. This can be useful if you want to automate report generation in your CI pipeline. The FOSSA CLI currently supports two different formats, SPDX and markdown. In order to generate a report in the FOSSA CLI you will need to run an additional report command after analyzing your project. The flags
markdown control the output format. Example:
export FOSSA_API_KEY=XXXXXXXX fossa analyze && fossa report attribution --format spdx
Example truncated SPDX report from the FOSSA CLI:
Generating Attributions / Bill of Materials
Visit a project page and navigate to the Reports tab to get to the Project Attribution Tool:
On this page, you can preview what your report will look like. As long as your issues are resolved, FOSSA will generate audit-ready attributions for you to distribute to your users that include raw copyright notices directly from the code.
On the free version, FOSSA will only provide limited versions of all compliance reports. Please contact [email protected] for more details.
Customizing an Attribution Notice/Bill of Materials
Step 1: Select Your Reporting Format
FOSSA supports six different export formats: HTML, Markdown, PDF, CSV, Plain Text, and SPDX.
Not sure what format is right for you?
- If you would like to host your attribution notice on your website, we recommend leveraging our HTML Report
- If you are embedding attribution within documentation or within your source code, we recommend using Plain Text
Step 2: Select the Components of Your Report
FOSSA offers the ability to customize the types of information displayed. Within the Reports tab you can decide whether you want to include:
- Project Declared License: the license of your proprietary project/product.
- License Summary: an overview of all the licenses found in your source code. Note: this is only available through our Repository Scan integrations (Github, Gitlab).
- Direct Dependencies: A list of all the first level dependencies, explicitly included in your proprietary software.
- Deep Dependencies: A list of all the deep or transitive dependencies included in your project. These are open source packages leveraged by other open source projects you are using.
- Custom Text: This allows you to add text to the header of your report to include things like contact information and links to GPL source code disclosures. Note: this functionality is only available in the HTML format.
Step 3: Select the Open Source Package Information to Include
FOSSA collects information about every open source component including information like the package authors, the package URL, and more. You can customize the information about each open source component by clicking edit dependency information. The following information is available:
|Package||Selecting package displays the name and version of the open source component.|
|Authors||Selecting authors displays the creators of the package. In most cases, this information is pulled from the package registry.|
|Description||Selecting description includes information regarding what the package's functionality is. In most cases, this information is pulled from the package registry.|
|Declared License||Selecting declared licenses includes licenses FOSSA has identified in License and Readme files.|
|Discovered License(s)||Selecting discovered licenses includes all licenses FOSSA has identified. Discovered Licenses also includes any edited licenses.|
|License Header||Selecting license header includes the exact license text FOSSA has identified in the dependency source code.|
|License Template||Selecting license template includes a templated text of the license.|
|Package Manager||Selecting package manager includes the package manager the dependency was sourced from.|
|Package Homepage||Selecting package homepage includes the link package's homepage whether it is a Github repo, stand-a-lone website, or hosted by a package manager.|
|Package Download URL||Selecting package download URL includes a link to the exact dependency version included in your product. Note: this information is not available for all package types.|
|Dependency Paths||Selecting dependency paths includes information displaying how each dependency is being pulled into your codebase.|
|Issue Resolution Notes||Selecting issue resolution notes displays any comments you leave when you review flagged components within FOSSA.|
As a bare minimum, we recommend keeping "Package" and "Declared License" checked for attributions.
Step 4: Publish Your Report
There are two avenues to publishing a FOSSA report:
- You can download the report to your computer
- You can have FOSSA host your reports. Check out Wolters Kluwer for an example!
Keeping Attributions Updated
It's critical to keep compliance documentation up to date. Since modern development moves so quickly, open source attributions can become stale almost immediately after a release.
To keep reports updated, we recommend integrating FOSSA into your development pipeline or enabling recurring updates / scans. That way, a certified attribution will be available not only at each release, but each commit as well.
If you are using FOSSA's hosted reports, they will automatically stay updated with your latest changes and releases. If you are relying on downloaded attributions, you can use our API to fetch the latest file as part of your release process.
Modifying Report Information
Removing a Dependency
In the case that FOSSA identifies an internal or testing library, you may want to remove a dependency from your Bill of Materials or Attribution notice. To remove a dependency from a report:
- Go to the Dependency Tab
- Type the name of the Dependency you need to remove from the report in the search bar
- Click the Ignore icon
Note: Ignoring the dependency also removes any issues associated with the dependency. You can un-ignore any dependency under project settings.
Enriching Package Metadata
To add additional information to your components such as an updated author's list or to add an internal description:
- Go to the Dependency Tab
- Search for the Dependency
- Click View/Edit
Note: This only updates the dependency within the project, not across your entire portfolio.
Enter the updated description and/or modify the authors and click save.
Editing the License
To edit a license click edit next to the license in question from here you can:
- Select View to see the files that triggered the license identification.
- Select Change to update the name of the license.
- Select Delete to remove this license from this dependency.
Editing Copyright Data or Full License Text
To update the copyright information or display customized license text:
- Click Add Raw Text
- Add the new Copyright or License text you'd like the report to display
- Click Save
Adding a License to the Full License List
If there is another License you need to append to the Full License List:
- Go to the licenses tab
- Click Add
- Enter in the license name
- Customize Any Copyright Information as well as license text URL by entering in customized text or use default license templates by clicking Confirm.
- Click Confirm
For more questions please contact [email protected]
Updated about 2 months ago