The first time you run a report, FOSSA may need some time to analyze and build up knowledge about your dependencies before it's fully available. This is because FOSSA is actually scanning every line of code in each deep dependency to collect data that will be critical for compliance later on.
This only happens once -- as long as you're using the CLI, all subsequent reports should be very fast (well-within a CI task window).
If you're running into errors during this phase, check out our Troubleshooting Guide.
Over time, you should notice 4 major sections of the report begin populating with data:
- Issues - License violations, compliance alerts, and vulnerabilities found and presented in a triage dashboard
- Dependencies - A full list of components & licenses discovered during the analysis
- Licenses - An interface to browse where licenses were discovered in your code
- Reports - Tools to generate attribution reports, BOMs and compliance documentation
Before you proceed, it's a good idea to sanity-check your dependency list. Navigate to the Dependencies tab to review what FOSSA found:
On your first scan, it may surprise you how many 3rd-party components you're actually using even if your application is relatively small.
If you've configured FOSSA the right way, there should only be dependencies that are included in your production build. If you're seeing many test or documentation dependencies, you may need to ensure FOSSA is running against a production build or your
.fossa.yml is pointing at the right configuration.
If you have any questions about this page or want to know more about the dependencies tab, in general, navigate to the Dependencies Browser documentation page.
Finally, your dependency list doesn't need to be perfect for you to start using FOSSA. If this list looks reasonable you should continue to Issue Triage, otherwise, check out our Troubleshooting Guides.
Updated 14 days ago