Whenever you use open source components, their licenses will require you to give attribution to their authors in specific ways. To comply with these obligations, you can generate compliance documentation automatically using FOSSA.
These documents not only disclose fully-compliant attribution and copyright notices, but are useful for a number of events:
- Security vulnerability reviews
- Customer-facing Bill-of-Materials for sales enablement, partnerships or OEMs
- Updated audit reports for due diligence events
To see an example live of how one of our customers uses FOSSA's reports, check out Docker's Components & Licenses Page.
The FOSSA CLI, as of v3.1.5, is also capable of generating SBOM reports. This can be useful if you want to automate report generation in your CI pipeline. The FOSSA CLI currently supports two different formats, SPDX and markdown. In order to generate a report in the FOSSA CLI you will need to run an additional report command after analyzing your project. The flags
markdown control the output format. Example:
export FOSSA_API_KEY=XXXXXXXX fossa analyze && fossa report attribution --format spdx
Example truncated SPDX report from the FOSSA CLI:
Visit a project page and navigate to the Reports tab to get to the Project Attribution Tool:
On this page, you can preview what your report will look like. As long as your issues are resolved, FOSSA will generate audit-ready attributions for you to distribute to your users that include raw copyright notices directly from the code.
On the free version, FOSSA will only provide limited versions of all compliance reports. Please contact [email protected] for more details.
FOSSA supports six different export formats: HTML, Markdown, PDF, CSV, Plain Text, and SPDX.
Not sure what format is right for you?
- If you would like to host your attribution notice on your website, we recommend leveraging our HTML Report
- If you are embedding attribution within documentation or within your source code, we recommend using Plain Text
FOSSA offers the ability to customize the types of information displayed. Within the Reports tab you can decide whether you want to include:
- Project Declared License: the license of your proprietary project/product.
- License Summary: an overview of all the licenses found in your source code. Note: this is only available through our Repository Scan integrations (Github, Gitlab).
- Direct Dependencies: A list of all the first level dependencies, explicitly included in your proprietary software.
- Deep Dependencies: A list of all the deep or transitive dependencies included in your project. These are open source packages leveraged by other open source projects you are using.
- Custom Text: This allows you to add text to the header of your report to include things like contact information and links to GPL source code disclosures. Note: this functionality is only available in the HTML format.
FOSSA collects information about every open source component including information like the package authors, the package URL, and more. You can customize the information about each open source component by clicking edit dependency information. The following information is available:
Selecting package displays the name and version of the open source component.
Selecting authors displays the creators of the package. In most cases, this information is pulled from the package registry.
Selecting description includes information regarding what the package's functionality is. In most cases, this information is pulled from the package registry.
Selecting declared licenses includes licenses FOSSA has identified in License and Readme files.
Selecting discovered licenses includes all licenses FOSSA has identified. Discovered Licenses also includes any edited licenses.
Selecting license header includes the exact license text FOSSA has identified in the dependency source code.
Selecting license template includes a templated text of the license.
Selecting package manager includes the package manager the dependency was sourced from.
Selecting package homepage includes the link package's homepage whether it is a Github repo, stand-a-lone website, or hosted by a package manager.
Package Download URL
Selecting package download URL includes a link to the exact dependency version included in your product. Note: this information is not available for all package types.
Selecting dependency paths includes information displaying how each dependency is being pulled into your codebase.
Issue Resolution Notes
Selecting issue resolution notes displays any comments you leave when you review flagged components within FOSSA.
As a bare minimum, we recommend keeping "Package" and "Declared License" checked for attributions.
There are two avenues to publishing a FOSSA report:
- You can download the report to your computer
- You can have FOSSA host your reports. Check out Wolters Kluwer for an example!
It's critical to keep compliance documentation up to date. Since modern development moves so quickly, open source attributions can become stale almost immediately after a release.
To keep reports updated, we recommend integrating FOSSA into your development pipeline or enabling recurring updates / scans. That way, a certified attribution will be available not only at each release, but each commit as well.
If you are using FOSSA's hosted reports, they will automatically stay updated with your latest changes and releases. If you are relying on downloaded attributions, you can use our API to fetch the latest file as part of your release process.
In the case that FOSSA identifies an internal or testing library, you may want to remove a dependency from your Bill of Materials or Attribution notice. To remove a dependency from a report:
- Go to the Dependency Tab
- Type the name of the Dependency you need to remove from the report in the search bar
- Click the Ignore icon
Note: Ignoring the dependency also removes any issues associated with the dependency. You can un-ignore any dependency under project settings.
To add additional information to your components such as an updated author's list or to add an internal description:
- Go to the Dependency Tab
- Search for the Dependency
- Click View/Edit
Note: This only updates the dependency within the project, not across your entire portfolio.
Enter the updated description and/or modify the authors and click save.
To edit a license click edit next to the license in question from here you can:
- Select View to see the files that triggered the license identification.
- Select Change to update the name of the license.
- Select Delete to remove this license from this dependency.
To update the copyright information or display customized license text:
- Click Add Raw Text
- Add the new Copyright or License text you'd like the report to display
- Click Save
If there is another License you need to append to the Full License List:
- Go to the licenses tab
- Click Add
- Enter in the license name
- Customize Any Copyright Information as well as license text URL by entering in customized text or use default license templates by clicking Confirm.
- Click Confirm
For more questions please contact [email protected]
Updated 2 months ago