The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Triaging Issues

The Issues page (found within a report or globally) provides a feed of alerts generated against the dependencies of projects you've added to FOSSA.

FOSSA can scan for a variety of issues depending on what features you've enabled:

Issue Type
Description
Product Suite

Unlicensed Dependency

Flagged against unlicensed code, which by default is copyrighted to the original author.

Compliance

Policy Flag

Flagged against licenses that require review.

Compliance

Policy Conflict

Flagged against licenses violating use case (policy deny).

Compliance

Missing Attribution

Flagged if your codebase is missing compliance documentation.

Compliance

Vulnerabilities

Flagged against vulnerable dependencies (CVE or Custom)

Security

Minor Outdated Dependency

Flagged if components are outside a specified version window.

Quality

Major Outdated Dependency

Flagged if components are outside a specified version window.

Quality

To enable a missing Product Suite, contact sales@fossa.io

Using the Dashboard

Issue Dashboard Preview

Issue Dashboard Preview

On the left-hand side of the Issue Dashboard, FOSSA provides an inbox of Issue Threads, which are groups of similar issues that can be triaged and resolved together. These threads will automatically be organized and prioritized by type and severity.

For easy browsing, you can use the up/down keys on your keyboard to quickly navigate across issue threads.

Understanding Issue Reports

Once you've selected an issue thread, FOSSA will display a report on the right hand side detailing information and action about the issues:

The report displays the following sections (in order)

1. Issue Summary
A description about the issue and why it was flagged.

2. Status Notes (optional)
Notes listed from an issue triage action, only displayed if the issue was previously resolved.

3. Component / Issue Details
A rich UI that displays details about the component and relevant data inside of it related to the issue. For many types of issues, there will be tools to "make corrections" to data or edit settings before ignoring the issue.

4. Affected Applications
A list of applications ("Projects") in your organization that are currently affected by these issues in the latest release.

5. General Notes
Comments from other team members about this component.

Understanding Issue Confirmation Levels

Under Affected Applications, FOSSA provides Issue Confirmation Levels to help your team easily confirm and prioritize issues during triage:

This section gives you a sense of which issues are the most likely to affect your team and need attention based off the following levels:

Confirmation Level

Unconfirmed

This issue exists in your ecosystem, but we have found no specific evidence it is referenced in your application.

Referenced

This issue deals with a component that is statically referenced by a package manifest (top level, or from traversing deep dependencies) within your affect application. A production build may or may not exclude this component (i.e. a test or mediated dependency).

Included

This issue deals with a component that we've confirmed is included in a production build by dynamically observing the build process.

Accessible

This issue is confirmed to be accessible to users in distributed applications or build artifacts.

Confirmed

This issue has been manually confirmed.

FOSSA determines these levels by reflecting on how it discovered your dependency. If a dependency was reported using one method of code analysis over another, FOSSA can infer how "material" the issue alert is based off the technical implementations of those strategies.

Users can always manually "override" an automatically suggested confirmation level on a per-issue basis. Contact support@fossa.io if you have more in-depth questions about confirmation.

Too Many Issues

FOSSA was built to produce very few false positives so that you can continually run scans throughout your development process.

If you notice that you have a significant amount of false positives, that's a good sign that you may have not integrated FOSSA properly. Join our Slack channel at slack.fossa.io or contact support for help.

Remediating Issues

Once you've identified an issue thread you want to fix, you have a few options to resolve them. Note, the options below will apply globally across all issues (and affected projects) referenced in a given thread. If you'd like to handle issues on a per-project basis, use the views provided in the Projects dashboard.

Ignoring Issues / Correcting Data

If you've identified a false positive, you can "ignore" an issue thread and provide notes inline:

Once ignored, the issue will move to the "Resolved" category and your notes will be present alongside an "undo" button:

If you noticed the issue was raised due to an inconsistency around component data, you can use the tools available in the Component / Issue Details panel to make corrections before you ignore to ensure clean reports:

Suggested Remediations / Patches

For some kinds of issues, FOSSA can also provide remediation suggestions or automated patches related to your build:

There are 4 kinds of remediations available:

Type
Description

Update Component (Safe)

This remediation suggests a safe version update to a component that fixes an issue. It will ask you to run a command or update build configuration files / manifests in order to change build behavior to update a direct / deep dependency.

Remove Component (Unsafe)

This remediation suggests a removal of a component in order to fix an issue. It will ask you to run a command or update build configuration files / manifests in order to remove a component from your build. FOSSA will provide path data so you can validate if / how the dependency is being used.

Auto-Fix (Safe)

If an issue can automatically be fixed, FOSSA will provide an "auto-fix" button that will generate a patch that you can submit to your VCS.

Manual Remediation

FOSSA will suggest a human action to fix an issue (i.e. contacting the component author or manually investigating your build).

These remediation suggestions will also be available inline when exporting issues into tickets or work items.

Exporting Issues to a Ticket

You can also export a group of issues into a single ticket using the "Create Ticket" button:

This will create a ticket inside of your issue tracker (i.e. JIRA) and sync the status of all issues in FOSSA to it. This means that your issues are assigned to the "Triaged" category where FOSSA will wait until the ticket is resolved in your tracker before automatically resolving the issue in FOSSA.

Issue Tracker Configuration

Make sure an issue tracker is configured under your Account Settings in order to export issues using this method.

Auto-Fixing

Some issues can be automatically fixed by known patches, upgrades or workarounds. Contact support@fossa.io if you're interested in this feature.

Premium Feature - Global Issue Dashboard

In a large-scale team, thousands of new 3rd-party components can be included or removed on a daily basis by developers, CI builds and more.

To help you manage this scale, FOSSA has a global Issue Dashboard that provides a centralized, aggregated feed of all components that are currently flagged across your organization. This view will intelligently group and prioritize issue alerts into logical "threads" to be resolved, exported or triaged together.

This feature is available in any upgraded subscription of FOSSA. Contact sales@fossa.io for more details.


What's Next

Once you've resolved issues in your project, it's time to generate a Release Report:

Generating Attributions

Triaging Issues


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.