Generating Attributions

Whenever you use open source components, their licenses will require you to give attribution to their authors in specific ways. To comply with these obligations, you can generate compliance documentation automatically using FOSSA.

These documents not only disclose fully-compliant attribution and copyright notices, but are useful for a number of events:

  1. Security vulnerability reviews
  2. Customer-facing Bill-of-Materials for sales enablement, partnerships or OEMs
  3. Updated audit reports for due diligence events

To see an example live of how one of our customers uses FOSSA's reports, check out Slack's Desktop Components & Licenses Page.

Software Bill of Material (SBOM) Generation via CLI

The FOSSA CLI, as of v3.1.5, is also capable of generating SBOM reports. This can be useful if you want to automate report generation in your CI pipeline. The FOSSA CLI currently supports four different formats: JSON, SPDX, markdown, and text. In order to generate a report in the FOSSA CLI you will need to run an additional report command after analyzing your project. The flags json, spdx, markdown, or text control the output format. Example:

fossa analyze && fossa report attribution --format spdx

Example truncated SPDX report from the FOSSA CLI:

Generating Attributions / Bill of Materials

Visit a project page and navigate to the Reports tab to get to the Project Attribution Tool:

On this page, you can preview what your report will look like. As long as your issues are resolved, FOSSA will generate audit-ready attributions for you to distribute to your users that include raw copyright notices directly from the code.


Premium Feature

On the free version, FOSSA will only provide limited versions of all compliance reports. Please contact [email protected] for more details.

Customizing an Attribution Notice/Bill of Materials

Step 1: Select Your Reporting Format

FOSSA supports six different export formats: HTML, Markdown, PDF, CSV, Plain Text, and SPDX.

Not sure what format is right for you?

  • If you would like to host your attribution notice on your website, we recommend leveraging our HTML Report
  • If you are embedding attribution within documentation or within your source code, we recommend using Plain Text

Step 2: Select the Components of Your Report

FOSSA offers the ability to customize the types of information displayed. Within the Reports tab you can decide whether you want to include:

  • Project Declared License: the license of your proprietary project/product.
  • License Summary: an overview of all the licenses found in your source code. Note: this is only available through our Repository Scan integrations (Github, Gitlab).
  • Direct Dependencies: A list of all the first level dependencies, explicitly included in your proprietary software.
  • Deep Dependencies: A list of all the deep or transitive dependencies included in your project. These are open source packages leveraged by other open source projects you are using.
  • Custom Text: This allows you to add text to the header of your report to include things like contact information and links to GPL source code disclosures. Note: this functionality is only available in the HTML format.

Step 3: Select the Open Source Package Information to Include

FOSSA collects information about every open source component including information like the package authors, the package URL, and more. You can customize the information about each open source component by clicking edit dependency information. The following information is available:

PackageSelecting package displays the name and version of the open source component.
AuthorsSelecting authors displays the creators of the package. In most cases, this information is pulled from the package registry.
DescriptionSelecting description includes information regarding what the package's functionality is. In most cases, this information is pulled from the package registry.
Declared LicenseSelecting declared licenses includes licenses FOSSA has identified in License and Readme files.
Discovered License(s)Selecting discovered licenses includes all licenses FOSSA has identified. Discovered Licenses also includes any edited licenses.
License HeaderSelecting license header includes the exact license text FOSSA has identified in the dependency source code.
License TemplateSelecting license template includes a templated text of the license.
Package ManagerSelecting package manager includes the package manager the dependency was sourced from.
Package HomepageSelecting package homepage includes the link package's homepage whether it is a Github repo, stand-a-lone website, or hosted by a package manager.
Package Download URLSelecting package download URL includes a link to the exact dependency version included in your product. Note: this information is not available for all package types.
Dependency PathsSelecting dependency paths includes information displaying how each dependency is being pulled into your codebase.
Issue Resolution NotesSelecting issue resolution notes displays any comments you leave when you review flagged components within FOSSA.



As a bare minimum, we recommend keeping "Package" and "Declared License" checked for attributions.

Step 4: Publish Your Report

There are two avenues to publishing a FOSSA report:

  • You can download the report to your computer
  • You can have FOSSA host your reports. Check out Wolters Kluwer for an example!

Keeping Attributions Updated

It's critical to keep compliance documentation up to date. Since modern development moves so quickly, open source attributions can become stale almost immediately after a release.

To keep reports updated, we recommend integrating FOSSA into your development pipeline or enabling recurring updates / scans. That way, a certified attribution will be available not only at each release, but each commit as well.

If you are using FOSSA's hosted reports, they will automatically stay updated with your latest changes and releases. If you are relying on downloaded attributions, you can use our API to fetch the latest file as part of your release process.

Modifying Report Information

Removing a Dependency

In the case that FOSSA identifies an internal or testing library, you may want to remove a dependency from your Bill of Materials or Attribution notice. To remove a dependency from a report:

  1. Go to the Dependency Tab
  2. Type the name of the Dependency you need to remove from the report in the search bar
  3. Click the Ignore icon


Note: Ignoring the dependency also removes any issues associated with the dependency. You can un-ignore any dependency under project settings.

Enriching Package Metadata

To add additional information to your components such as an updated author's list or to add an internal description:

  1. Go to the Dependency Tab
  2. Search for the Dependency
  3. Click View/Edit


Note: This only updates the dependency within the project, not across your entire portfolio.

Editing Description/Authors

Enter the updated description and/or modify the authors and click save.

Editing the License

To edit a license click edit next to the license in question from here you can:

  1. Select View to see the files that triggered the license identification.
  2. Select Change to update the name of the license.
  3. Select Delete to remove this license from this dependency.

Editing Copyright Data or Full License Text

To update the copyright information or display customized license text:

  1. Click Add Raw Text
  2. Add the new Copyright or License text you'd like the report to display
  3. Click Save

Adding a License to the Full License List

If there is another License you need to append to the Full License List:

  1. Go to the licenses tab
  2. Click Add

  1. Enter in the license name

  1. Customize Any Copyright Information as well as license text URL by entering in customized text or use default license templates by clicking Confirm.

  1. Click Confirm

Custom Licenses

When adding a custom license or correcting an existing license you will be prompted with the option to provide a name for the custom license. When provided this name will appear in reports in-place of custom-license

For more questions please contact [email protected]