Licensing Reports

Generate, customize, and publish licensing reports and bills of materials from FOSSA.

5 min readUpdated Jul 9, 2026

Overview

Open source licenses require you to give attribution to their authors in specific ways. FOSSA generates the compliance documentation automatically (licensing reports, copyright disclosures, and bills of materials) based on the dependencies it has analyzed.

Licensing reports are useful for:

  • Distributing attribution notices with your product
  • Customer-facing bills of materials for sales, partnerships, or OEMs
  • Audit reports for due diligence events
  • Security vulnerability reviews

Generating a report from the UI

Navigate to a project or release group, open Reports, and select Licensing from the sidebar. Generating a report takes two steps: choose a flow, then select an output format and adjust the content options. A live preview updates as you change options.

Licensing report builder showing the flow selector, output format, content options, and live preview

Note

All FOSSA plans can generate Standard reports using pre-set filters. The Custom report flow (which lets you control every filter, view, and data point) requires a paid plan.

Choosing a flow

FlowDescription
Standard (Recommended)Pre-set options, consistent, quick, available to all plans
CustomFull control over included content and data points, paid plans only

The Standard flow includes a fixed set chosen by FOSSA: Dependencies Summary, Direct Dependencies, Notice File(s), Package Metadata, and Concluded License(s) when license conclusions are enabled for your organization.

Selecting a format

FOSSA supports five output formats for licensing reports:

FormatBest for
HTMLHosting on your website or a public page
PDFDistributing as a document to customers or auditors
CSVSpreadsheet-based review or processing
MarkdownEmbedding in source code or documentation
Plain TextSimple distribution or embedding in built artifacts
Output format dropdown open, showing HTML, PDF, CSV, Markdown, and Plain Text options

Selecting report content

The following options control what appears in the generated report:

OptionDescription
Dependencies SummaryAn overview of all dependencies and licenses found.
Direct DependenciesFirst-level dependencies explicitly included in your project.
Transitive DependenciesIndirect dependencies pulled in by your direct dependencies.
Snippet DependenciesDependencies detected via code snippets. Available when snippet detection is enabled for your organization.
Hash and Version DataIncludes package hashes and version identifiers for each dependency.
Package LabelsIncludes any package labels assigned to packages in your organization.
List of LicensesIncludes license information for each dependency. Choose which license data to include: Declared Licenses, First Party Licenses, Copyrights from non-license text.
Exclude Package LabelsExcludes packages that have certain labels, such as Dynamically Linked, Modified, Statically Linked, or Unmodified.
Concluded License(s)Any licenses that have been manually concluded on a dependency. Only available when the License Conclusion feature is enabled for your organization.
Notice File(s)Verbatim text from NOTICE.TXT, THIRD-PARTY-NOTICES.TXT, and similar files.
Dependency MetadataPer-dependency details. Choose which fields to include: Project, Authors, Description, Concluded License, Declared License, License Header, Full License Text, Discovered License(s), File Path, Package Manager, Package Homepage, Package Download URL, Dependency Paths, Issue Resolution Notes, Copyrights, License URL.

Excluding by package label

In Custom mode, the Exclude Package Labels filter lets you omit dependencies that carry specific package labels from the report output, useful for excluding test-only or internal dependencies that shouldn't appear in customer-facing attribution.

Saving custom options

In the Custom flow, save a configuration you use often as a named preset from the Saved Options control, then apply it to future reports in one click. See Report Settings for managing presets and choosing a default. Saved options require a paid plan.

Downloading, emailing, or hosting

Once generated, you can:

  • Download the report to your computer immediately
  • Email the report, for large projects, click Email to queue generation as a background job; the completed report is delivered to your email address
  • Host the report via FOSSA, FOSSA generates a persistent public URL that always serves the latest version, updating automatically with each new scan

Generating a report from the CLI

The FOSSA CLI can generate licensing reports directly, which is useful for automating report generation in CI.

Shell
export FOSSA_API_KEY=XXXXXXXXfossa analyze && fossa report attribution --format spdx

Note

The CLI supports additional formats beyond the web UI: csv, cyclonedx-json, cyclonedx-xml, html, json, markdown, spdx, spdx-json, and text. See fossa report for the full reference.

Keeping reports up to date

Attribution notices become stale as dependencies change. To keep them current:

  • Integrate FOSSA into your CI pipeline so a fresh report is available at every commit
  • Use the FOSSA API to fetch the latest file as part of your release process
  • If using hosted reports, FOSSA updates them automatically

Modifying dependency data for reports

If a dependency appears in your report with incorrect or missing information (wrong license, missing author, no copyright text) you can correct it directly in FOSSA before regenerating.

See License Corrections for the full workflow, including how to:

  • Conclude or change a detected license
  • Update author and description metadata
  • Add or edit copyright text
  • Remove a dependency from the report entirely

What's next

© 2026 FOSSA, Inc.support@fossa.com