C/C++
Analyze C and C++ projects with FOSSA via vendored-code fingerprinting, snippet scanning, and build-system integrations including Conan, Yocto, and Buildroot.
Overview
C and C++ have no universal package manager, so there is no single manifest or lockfile for FOSSA to read. Instead, FOSSA detects dependencies through a combination of vendored-code fingerprinting, snippet scanning, and build-system integrations (Conan, Yocto, and Buildroot). These approaches are additive. You can combine whichever ones fit how your project is built.
All strategies require fossa-cli version 3.1.3 or greater. Install the latest release:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bashDetection strategies
| Strategy | What it detects | Reference |
|---|---|---|
| Vendored code | Open-source libraries vendored directly into your project tree, even with comment or whitespace changes | Vendored dependencies |
| Snippet scanning | Open-source code snippets copied into your first-party files | Snippet scanning |
| Conan | Dependencies managed by the Conan package manager | Scanning Conan projects |
| Yocto | Runtime packages in a Yocto image build | Scanning Yocto projects |
| Buildroot | Dependencies in a Buildroot environment | Scanning Buildroot projects |
Analyzing with the CLI
Because no standard package manager is used, the CLI relies on statistical analysis of the project to determine likely vendored dependencies, and can inspect output binaries for dynamically linked dependencies on some platforms.
| Strategy | Direct Deps | Transitive Deps | Edges | Container Scanning |
|---|---|---|---|---|
detect-vendored | ✅ | ❌ | ❌ | ❌ |
detect-dynamic | ✅ | ✅ | ❌ | ❌ |
Project discovery
detect-vendored: The root of the scan directory is assumed to be the only "project".detect-dynamic: The binary indicated by the argument is assumed to be the only "project".
Analysis
detect-vendored: Runfossa analyze --detect-vendored.- To only detect vendored dependencies, run
fossa analyze --detect-vendored --only-target vsi.
- To only detect vendored dependencies, run
detect-dynamic: Runfossa analyze --detect-dynamic <BINARY_PATH>.- This inspects the binary at
BINARY_PATHfor dynamically linked dependencies. - This requires specific platform support. See the extended documentation below.
- This inspects the binary at
Further reading: