Using FOSSA Quality

The first time you run a report, FOSSA analyzes every dependency. FOSSA scans each direct and deep dependency to generate Quality Issues.

Once scanned, you'll see 4 major sections of the Project:

  1. Issues - Code Quality, blocked packages, and supplychain risks found in the project
  2. Dependencies - A full list of components & licenses discovered during the analysis
  3. Licenses - All licenses discovered in your code
  4. Reports - Tools to generate attribution reports, SBOMs, and compliance documentation

Before you proceed, it's a good idea to sanity-check your dependency list. Navigate to the Dependencies tab to review what FOSSA found.

On your first scan, it may surprise you how many 3rd-party components you're actually using even if your application is relatively small. There should only be dependencies that are included in your production build. If you're seeing many test or documentation dependencies, you may need to ensure FOSSA is running against a production build or your .fossa.yml is configured.