The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Python

FOSSA support for Python projects

FOSSA supports Python projects through setuptools and pip.

Tool
Automated
Provided

pip

requirements.txt and setup.py

requirements.txt

setuptools/distutils

setup.py

N/A

distribute

N/A

N/A

Automated Builds

When Python code is imported, FOSSA will find and run any setup.py files and recursively traverse dependencies that are brought in via the install_requires parameter.

If there are any requirements.txt present, FOSSA will also resolve those entries and treat them as direct dependencies. Sub-dependencies of packages brought in from requirements.txt are ignored, as consistent with standard build behavior.

Requires Standard Conventions

FOSSA currently assumes that Python codebases using Automated Builds are following proper conventions where running setup.py or pip install -r <requirements.txt> is expected. If setup.py files are heavily customized or require non-standard versions of Python, FOSSA may fail to run and analyze them.

Provided Builds

Provided Builds relies on fossa-cli v0.5.0+. To get started, install the latest release of fossa-cli from our GitHub releases page:

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash

In a Provided Build for Python, fossa will rely on you maintaining an updated requirements.txt file. This can be achieved by running:

pip freeze > requirements.txt

We recommend you do this as part of your build process after running your setup.py and within your virtualenv if necessary.

Afterwards, you can run fossa and the client will analyze your requirements.txt and submit dependency data back to [app.fossa.io].

View extended documentation [here].

Complex Builds Supported

For complex Python builds that rely on custom tooling, scripts or virtual env, Provided Builds is the ideal integration path.

Authentication

You can configure FOSSA to fetch dependencies from private PyPI registries published through tools like Artifactory or Sonatype Nexus.

In order for FOSSA to reach private feeds, go to your Python Language Settings under Account Settings > Languages > Python and add your login credentials.

Pip Settings

Pip Settings

Now you should be able to resolve private PyPI packages in FOSSA.

Package Data

FOSSA supports most standard ways Python packages can be included, ranging from packages on PyPI to packages stored in archives / VCS hosts.

When possible, FOSSA will seek source code formats over binary/archive formats like .egg and .whl. If an egg or wheel is downloaded, its contents are inspected for code auditing and dependency information.

  • dist-info directories are currently skipped.
  • Mercurial, Subversion, and Bazaar Version Control Systems are not supported.
  • Source code distributed with XZ compression is not supported.
  • Custom build scripts (i.e. fabric, make, etc.) are not supported.
  • C Extensions are not supported.

Supported VCS Formats:

VCS
Supported

Git

Y

hg

N

svb

N

bzr

N