Using FOSSA Security

The first time you add a project, FOSSA may take some time to analyze and build up knowledge about your dependencies before it's fully available. This is because FOSSA is actually scanning every line of code in each deep dependency and identifying vulnerabilities.

Over time, you should notice 4 major sections of the report begin populating with data:

  1. Issues - License violations, compliance alerts, and vulnerabilities found and presented in a triage dashboard.
  2. Dependencies - A full list of components & licenses discovered during the analysis.
  3. Licenses - An interface to browse where licenses were discovered in your code.
  4. Reports - Tools to generate attribution reports, BOMs and compliance documentation.

On your first scan, it may surprise you how many 3rd-party components you're actually using even if your application is relatively small.

If you've configured FOSSA the right way, there should only be dependencies that are included in your production build. If you're seeing many test or documentation dependencies, you may need to ensure FOSSA is running against a production build or your .fossa.yml is pointing at the right configuration.

If you have any questions about this page or want to know more about the dependencies tab, in general, navigate to the Dependencies Browser documentation page.