Dependencies

Inspect every dependency FOSSA detected, metadata, license status, filter options, custom licenses, and notice files.

5 min readUpdated Jul 9, 2026

Overview

The Inventory tab in a FOSSA project has three sub-tabs:

  • Dependencies: every direct and transitive component included in the analysis (this page)
  • Snippets: code snippets detected by Snippet Scanning
  • Vendored: vendored code detected by the Vendored Dependencies scan

(Snippets and Vendored are part of the Enterprise plan.)

This page covers the Dependencies sub-tab. Use it to understand how a dependency was introduced, review its license status, and correct any missing or incorrect data before generating reports.

Dependency metadata

For each detected dependency, FOSSA captures the following:

FieldDescription
NameThe name or title of the dependency
VersionThe resolved version. May be a commit hash for ecosystems that don't use semantic versioning.
DepthDirect, explicitly included in your project; Transitive, pulled in by another dependency
Package managerThe ecosystem, package manager, or programming language managing the package
Package LocatorFOSSA's internal unique identifier for the component. Useful when the same package name exists across multiple ecosystems or when distinguishing public packages from private forks.
Origin PathFor direct dependencies: the file path where FOSSA found it. For transitive dependencies: the path to the root direct dependency.
Dependency PathFor transitive dependencies only, the ordered chain from the root direct dependency to the leaf. Example: jest 18.1.0jest-cli 18.1.0node-notifier 4.6.1
LicensesDetected licenses. Licenses that conflict with the project's policy are highlighted.
IssuesAny license, security, or quality issues detected on the dependency
Dependencies table showing direct dependencies with columns for name, version, depth, licenses, and issues

Unknown license dependencies

When FOSSA cannot access a dependency to scan it, the dependency appears with the message: FOSSA was unable to perform a license scan on this dependency. If it's behind a private registry or auth, you may need to configure FOSSA's access and rebuild this project.

The two most common causes:

Private registry authentication: the dependency lives in a private repository such as Artifactory or Nexus. Navigate to Settings → Languages and add authentication for the private registries you use.

Incorrect discovery: FOSSA found an incorrectly formatted entry in a manifest file, or detected an internal sub-project as a dependency (common in Gradle and Go projects).

Warning

FOSSA maintains the complete dependency graph even when individual packages cannot be accessed. Compliance and vulnerability information for accessible downstream packages is still surfaced correctly.

Note

If neither of the above explains your unknown dependency, contact support@fossa.com with as much detail as possible.

For help resolving missing or incomplete dependencies, see Incomplete and Unknown Dependencies.

Filtering

Licenses

Filter to dependencies that contain a specific detected license.

Package Managers

Filter to dependencies detected by a specific ecosystem, package manager, private URL, or user-defined source.

Status

OptionShows
In ProgressDependencies currently being analyzed
AnalyzedDependencies that completed analysis successfully
FailedDependencies that encountered an analysis error
UnknownDependencies FOSSA could not locate

Flagged

Filter to dependencies that have at least one active license, security, or quality issue.

Dependency actions

There are two ways to interact with a dependency.

Three-dot menu

Hover over a dependency row and click the three-dot menu to access:

ActionDescription
Overwrite packageOpens a dialog to replace this dependency with a different one. You can search for a package in FOSSA's database, upload a package binary, or manually create an entry with your own package info.
Copy locatorCopies the dependency's internal FOSSA locator to the clipboard, useful for searching and API calls.

Clicking a dependency

Click anywhere on a dependency row to open the dependency drawer, which has three sections:

SectionWhat you can do
DetailsView and edit dependency metadata
LicensesAdd, change, or remove license information
IgnoreIgnore this dependency, removing it from compliance checks and suppressing its issues

Adding a custom license

If a dependency uses a license that isn't in FOSSA's database (such as a proprietary third-party license) you can add it as a custom license directly on the dependency.

  1. 1

    Open the dependency

    Click anywhere on the dependency row to open the dependency drawer.

  2. 2

    Add a license group

    Select Add a license group, then search for Custom License in the License Name dropdown and select it.

    Add License drawer showing License Name, License Text, and Copyrights fields
  3. 3

    Enter the license details

    Fill in the custom license name and any additional details (license text, copyright) in the fields that appear.

    Add License drawer with Custom License selected and name, text, and copyright fields filled in
  4. 4

    Save

    Select Add to add the license group, then save your changes.

    Dependency Licenses tab showing the saved custom license with Approved status

    When this dependency appears in future project scans, the custom license will already be applied.

For broader dependency editing (changing metadata, concluding a license, updating copyright) see License Corrections.

Notice files

FOSSA detects notice files by filename, case-insensitively and regardless of where they appear in the directory tree. Files matching the following patterns are detected:

  • notice.txt
  • third-party-notices.txt
  • *_notice.txt

Note

The notice file patterns listed above come from the legacy documentation and have not been verified against the current backend. If you encounter detection gaps, contact support@fossa.com.

Detected notice files appear in the Notice Files section of the dependency detail view.

Reviewing and editing notice files

Click anywhere on the dependency row to open it, then select Edit within the Notice Files section. From here you can review and modify the raw notice text and copyright data that will appear in attribution reports.

Ignoring notice files

Select Ignore to exclude the notice file text and copyrights from attribution reports. Select Stop Ignoring to restore them.

Note

Notice file edits (like all dependency corrections) apply across all projects and all versions.

© 2026 FOSSA, Inc.support@fossa.com