C/C++

Analyze C and C++ projects with FOSSA via vendored-code fingerprinting, snippet scanning, and build-system integrations including Conan, Yocto, and Buildroot.

2 min readUpdated Jul 9, 2026

Overview

C and C++ have no universal package manager, so there is no single manifest or lockfile for FOSSA to read. Instead, FOSSA detects dependencies through a combination of vendored-code fingerprinting, snippet scanning, and build-system integrations (Conan, Yocto, and Buildroot). These approaches are additive. You can combine whichever ones fit how your project is built.

All strategies require fossa-cli version 3.1.3 or greater. Install the latest release:

Shell
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Detection strategies

StrategyWhat it detectsReference
Vendored codeOpen-source libraries vendored directly into your project tree, even with comment or whitespace changesVendored dependencies
Snippet scanningOpen-source code snippets copied into your first-party filesSnippet scanning
ConanDependencies managed by the Conan package managerScanning Conan projects
YoctoRuntime packages in a Yocto image buildScanning Yocto projects
BuildrootDependencies in a Buildroot environmentScanning Buildroot projects

Analyzing with the CLI

Because no standard package manager is used, the CLI relies on statistical analysis of the project to determine likely vendored dependencies, and can inspect output binaries for dynamically linked dependencies on some platforms.

StrategyDirect DepsTransitive DepsEdgesContainer Scanning
detect-vendored
detect-dynamic

Project discovery

  • detect-vendored: The root of the scan directory is assumed to be the only "project".
  • detect-dynamic: The binary indicated by the argument is assumed to be the only "project".

Analysis

  • detect-vendored: Run fossa analyze --detect-vendored.
    • To only detect vendored dependencies, run fossa analyze --detect-vendored --only-target vsi.
  • detect-dynamic: Run fossa analyze --detect-dynamic <BINARY_PATH>.
    • This inspects the binary at BINARY_PATH for dynamically linked dependencies.
    • This requires specific platform support. See the extended documentation below.

Further reading:

© 2026 FOSSA, Inc.support@fossa.com