FOSSA - Guides & Documentation

The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

JavaScript

FOSSA supports JavaScript and Node.js codebases through NPM, Bower and Yarn.

Tool
Automated
Provided

package.json, package-lock.json

node_modules/

bower.json

bower_components/

yarn.lock

node_modules/

Automated Builds

If you use FOSSA's automated build infrastructure, FOSSA will resolve dependencies by attempting to build your codebase via npm install --production or yarn install --frozen-lockfile.

If this fails or is disabled by setting prefer_mediated_dependencies to false, FOSSA will fall back to statically analyzing and traversing your package manifests (package.json, yarn.lock, component.json, bower.json).

By default, FOSSA filters out any devDependencies entries.

Using Lockfiles or Build Scripts

If you are using FOSSA's automated builds, FOSSA will prefer the lockfiles you provide.

If you are using have build scripts that will edit your build behavior, it is recommended that you use Provided Builds.

Provided Builds

If you are uploading build results via fossa-cli, the fossa command will analyze the modules installed in your node_modules directory after your build command has succeeded.

fossa-cli is open source! You can view further documentation on our implementation, as well as inspect the code directly here.

If you already have a CI running, it is recommended that you use Provided Builds to get accurate results.

Authentication

You can configure authentication to enable FOSSA to fetch dependencies from authenticated registries such as private npm packages, private Artifactory instances, or npm Enterprise instances.

Private packages on npmjs.com

In order for FOSSA to reach privately-scoped packages on [npmjs.com], go to your Javascript Language Settings under Account Settings > Languages > Javascript and add your login credentials:

npm Authentication Settings

npm Authentication Settings

After hitting "Save", you should be able to "retry" any unreachable npm dependencies in FOSSA and begin to analyze them.

Finding Access Credentials

If you don't know your credentials, you can find them in .npmrc or ~/.npmrc after running npm login. Learn more.

Private Artifact Registries (npm Enterprise or Artifactory)

On-Prem Only

npm Enterprise and Artifactory-configured npm registires are only supported in FOSSA on-prem.

To configure authentication on-prem, your FOSSA admin must edit FOSSA's config.env file with one of two authentication methods. Check your .npmrc to see which of the two formats below you use.

Auth tokens

For newer registries or NPM Enterprise, FOSSA supports tokens for authentication. If you are using this method, you can find a line in your .npmrc formatted as //REGISTRY_URL/:_authToken=AUTH_TOKEN.

Take the AUTH_TOKEN and add the following config:

fetchers__npm__auth_token=AUTH_TOKEN

Legacy authentication

Many systems still use legacy authentication, especially if you are using a private registry like Artifactory. Look for email, _auth and username in your .npmrc.

fetchers__npm__auth__email

fetchers__npm__auth__token # _auth parameter in .npmrc

fetchers__npm__auth__username

After configuring, your FOSSA admin must run fossa restart.

Private Registries

If you are using a private registry like Artifactory for you NPM code, your FOSSA admin can specify a private registry URL:

fetchers__npm__registry=YOUR_REGISTRY_URL

Often private registries require authentication, which is covered above under Private Packages.

NPM Enterprise

See here for FOSSA's NPM Enterprise integration.

JavaScript