72

GitHub - fossas/fossa-cli: Fast, portable and reliable dependency analysis for a...

 6 years ago
source link: https://github.com/fossas/fossa-cli
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

README.md

FOSSA

fossa-cli - Fast, portable and reliable dependency analysis for any codebase.

68747470733a2f2f6170702e666f7373612e696f2f6170692f70726f6a656374732f6769742532426769746875622e636f6d253246666f73736173253246666f7373612d636c692e7376673f747970653d736869656c64 68747470733a2f2f636972636c6563692e636f6d2f67682f666f737361732f666f7373612d636c692e7376673f7374796c653d736869656c6426636972636c652d746f6b656e3d66353566373037653231616333396138303132376433333732613161313435326563393466346637 68747470733a2f2f676f7265706f7274636172642e636f6d2f62616467652f6769746875622e636f6d2f666f737361732f666f7373612d636c69

Background

fossa analyzes complex codebases to generate dependency reports and license notices. By leveraging existing build environments, it can generate fast and highly-accurate results.

Features:

  • Supports over 15+ languages & environments (JavaScript, Java, Ruby, Golang, PHP, etc...)
  • Auto-configures for monoliths; instantly handles multiple builds in large codebases
  • Fast & portable; a cross-platform binary you can drop into CI or dev machines
  • Generates offline documentation for license notices & third-party attributions
  • Tests dependencies against license violations, audits and vulnerabilities (coming soon!) by integrating with https://fossa.io

Click here to learn more about the reasons and technical details behind this project.

Installation

Install the latest Github Release using curl:

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash

We support Windows, MacOS (Darwin), and Linux amd64 machines.

Quick Start

Run fossa -o in your repo directory to output a dependency report in JSON:

[
  {
    "Name": "fossa-cli",
    "Type": "golang",
    "Manifest": "github.com/fossas/fossa-cli/cmd/fossa",
    "Build": {
      "Dependencies": [
        {
          "locator": "go+github.com/rhysd/go-github-selfupdate$d5c53b8d0552a7bf6b36457cd458d27c80e0210b",
          "data": {
            "name": "github.com/rhysd/go-github-selfupdate",
            "version": "d5c53b8d0552a7bf6b36457cd458d27c80e0210b"
          }
        },
        ...
      ],
      ...
    }
  },
  ...
]

Run fossa and provide a FOSSA API Key to get a rich, hosted report:

export FOSSA_API_KEY="YOUR_API_KEY_HERE"

# Now, you can just run `fossa`!
fossa

# Output:
# ==========================================================
#   
#    View FOSSA Report: https://app.fossa.io/{YOUR_LINK}
#
# ==========================================================

Configuration

Initialize configuation and scan for supported modules:

fossa init # writes to `.fossa.yml`

This will initialize a .fossa.yml file that looks like this:

version: 1

cli:
  server: https://app.fossa.io
  project: github.com/fossas/fossa-cli

analyze:
  modules:
    - name: fossa-cli
      path: ./cmd/fossa
      type: go

# ...

Check out our User Guide to learn about editing this file.

After configuration, you can now preview and upload new results:

# Run FOSSA analysis and preview the results we're going to upload
fossa -o

# Run FOSSA and upload results
# Going forward, you only need to run this one-liner
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa

Integrating with CI

Testing for License Violations

If you've integrated with https://fossa.io, you can use fossa test to fail builds against your FOSSA scan status.

# Exit with a failing status and dump an issue report to stderr
# if your project fails its license scan
FOSSA_API_KEY=YOUR_API_KEY_HERE fossa test

# Output:
# --------------------------
# - exit status (1)
#
# * FOSSA discovered 7 license issue(s) in your dependencies:
#
# UNLICENSED_DEPENDENCY (3)
# * pod+FBSnapshotTestCase$1.8.1
# * pod+FBSnapshotTestCase$2.1.4
# * pod+Then$2.1.0
#
# POLICY_FLAG (4)
# * mvn+com.fasterxml.jackson.core:jackson-core$2.2.3
# * npm+xmldom$0.1.27
# * pod+UICKeyChainStore$1.0.5
# * gem+json$1.7.7
#
# ✖ FOSSA license scan failed: 7 issue(s) found.

Generating License Notices

To generate a license notice with each CI build, you can use the fossa report command:

# write a license notice to NOTICE.txt
fossa report --type licenses > NOTICE.txt

See this repo's NOTICE file for an example.

License data is provided by https://fossa.io's 500GB open source registry.

Reference

Check out the User Guide for more details.

Development

View our Contribution Guidelines to get started.

If you're in San Francisco, come to our monthly Open Source Happy Hour to meet us F2F!

License

fossa is Open Source and licensed under the MPL-2.0.

You are free to use fossa for commercial or personal purposes. Enjoy!

FOSSA Status


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK