Incomplete Dependencies

In the case of a missing or unknown dependency in your project, you can manually resolve the issue by providing an archive for FOSSA to scan.

This can be done one of two ways, depending on your needs:
1. Overwriting an Incomplete Dependency
2. Adding a New Dependency

Overwriting an Incomplete Dependency

If your project's analysis has finished, and you have a section in the dependencies tab titled "Incomplete Dependencies" that means FOSSA was unable to resolve, or locate, the named dependency.

1175

This can be manually corrected by clicking the "Overwrite" button on the right-hand side of the screen and filling in the appropriate data.

You can do so, by following these steps:

  1. Navigate to the dependency's homepage, and find an archive of the source files for your matching version.
    • In this example, we'll use the first incomplete dependency from our list, "tensorboard"

      πŸ“˜

      Tips

      • Using the URL is the preferred method here - it tends to be faster and will allow the incomplete dependency to become resolved for this project.
      • You can typically find a compressed version of the source from the "Releases" or "Tags" on a project's GitHub Page.
      • When using a PyPI dependency, you can also use the URL to the .whl file if no source is available.
711

Above, you can see that I've found tensorboard's homepage on GitHub, and located the .zip for my version - 2.11.2

  1. Be sure to copy the description and homepage for the dependency. You'll be able to view this metadata in the FOSSA web app, and it may prove useful in the future.
  2. Once you've finished your data entry, select "Overwrite" and the modal will close.
  3. At this point, your page should refresh and your build should be queued:
1158
  1. In a moment, your dependency will begin analysis:
1156

Tip: If you'd like to view the progress of your analysis, you can select "View Build" and then "View" in the LOGS column.

  1. Once the Analysis has finished, your overwritten dependency should have been moved to the top of the dependencies list, and is denoted by a blue "Manual Dependency" tag.
1151

As you can see above, I've added a handful of dependencies for this example, and have fewer Incomplete Dependencies after overwriting tensorboard.

Adding a New Dependency

The process for adding a new dependency is very similar to overwriting one, but there are slight differences in the UI and how it affects your project.

  1. To add a new dependency, start by selecting the "Add Dependency" button available at the top of the "Dependencies" tab:
  1. After clicking "Add a Dependency" a modal should appear. You can either Upload an Archive directly, search for a package across the web, create a dependency from scratch, or point to a URL that contains an archive. - In this case, I'll be using the URL.
  1. In the modal, you should fill out the fields as completely as you can, this information will be viewable from the Web UI after the dependency has been added to your Project. Above, you'll see I've found the appropriate GitHub release for the dependency torch.

    πŸ“˜

    Tips

    • Using the URL is the preferred method here - it is tends to be faster than uploading the archive yourself.
    • You can typically find a compressed version of the source from the "Releases" or "Tags" on a project's GitHub Page.
    • When using a PyPI dependency, you can also use the URL to the .whl file if no source is available.
  2. After you've finished, you can click "Add" in the bottom right of the modal, and your dependency will be added to your project, get queued, and finally be analyzed:
\*Note that there are two versions of `torch` here. this is because when **adding** a dependency, it does not associate itself with an existing incomplete dependency. To remove the incomplete dependency, please refer to [Overwriting an Incomplete Dependency](https://docs.fossa.com/docs/overwriting-an-incomplete-dependency#overwriting-an-incomplete-dependency)

*Note that there are two versions of torch here. this is because when adding a dependency, it does not associate itself with an existing incomplete dependency. To remove the incomplete dependency, please refer to Overwriting an Incomplete Dependency

  1. You can see below that torch has been added, and the existing "Incomplete" version, remains.