FOSSA Logo
AllAnnouncementsSBOMSecurityLicensingOpen SourcePress

Annotate Dependencies with Context: Introducing Package Labels in FOSSA

April 25, 2025 · 5 min read
dependency management
package labels
open-source
Annotate Dependencies with Context: Introducing Package Labels in FOSSA

Managing open source dependencies isn't just about knowing what components you're using — it's about understanding how they're used. That's where Package Labels come in.

FOSSA's Package Labels give teams a powerful way to annotate packages with contextual metadata, enabling more efficient and insightful reporting and filtering. Whether you're tracking how a package is used or flagging attributes relevant to compliance, Package Labels help make smarter decisions faster.

What Are Package Labels?

Package Labels are short annotations — up to 50 characters — that can be applied to any dependency in your software project. These labels can be scoped based on how broadly they should apply:

  • Global Scope: Makes the label available across your entire organization.
  • Project Scope: Applies the label only within a specific project.
  • Revision Scope: Limits the label to the current revision of a project.

Broadly, there are two categories of Package Labels: usage-based and attribute-based.

Usage-Based Labeling

  • Modified vs. Unmodified: Track changes that might impact license obligations; certain open source license compliance requirements can be triggered depending on whether modifications are made to source code.
  • Statically Linked vs. Dynamically Linked: Certain open source licenses (like the LGPL) treat statically linked libraries differently from dynamically linked libraries. This Package Label helps you differentiate. Understand how linking affects compliance.
  • Dev vs. Test vs. Production: Organizations often apply different policies for production dependencies compared to dev and test dependencies. This is the case for several reasons, including that open source license compliance requirements generally only apply to distributed software — and dev and test dependencies don't tend to be distributed. There are also SBOM considerations (as a general rule, the SBOMs you ship to customers should contain only production dependencies) and security ones as well. Package Labels makes it easy to differentiate between dependency types.

Attribute-Based Labeling

  • ECCN Tags – Assign Export Control Classification Numbers for compliance audits. ECCN tags are identifiers used by the U.S. Department of Commerce to help manage items that face export control restrictions.
  • FIPS Compliance: Flag packages that are compliant with FIPS requirements; FIPS is a NIST standard designed to help protect government data.

How to Manage Package Labels in the FOSSA Web App

Labels must be 1-50 characters long and may include letters, numbers, dashes, underscores, and spaces. Here's how you can create, edit, delete, and assign them.

Note that only Org Admins can create, delete, edit, and/or assign-global scoped Package Labels. Team and Org Admins can assign Project-Scoped Labels.

Creating a Package Label

  1. Go to your User Menu and select Settings.
  2. Click the Organization tab.
  3. Scroll to the Package Label section.
  4. Click Add Label.

Editing or Deleting Package Labels

  1. Edit: From the same Package Label section, click the edit icon beside the label.
  2. Delete: Click the 'x' icon next to the label in the Package Label section.

Assigning Labels to Packages

  1. Navigate to a project's dependency list.
  2. Click the three-dot menu next to a package.
  3. Choose Manage Labels.
  4. Select the relevant labels.

Labels can also be applied through the Package Index or when using fossa-deps with the FOSSA CLI.

Creating Ignore Rules Based on Labels

FOSSA Ignore Rules are intended to help organizations reduce alert fatigue and prioritize open source management issues. By creating a rule just once, you can apply it across other projects or future versions of a given package

Here's how you can create ignore rules based on labels — for example a logical ignore rule might be to ignore license compliance issues for dev and/or test dependencies.

  1. Go to a Quality, Security, or Licensing issue.
  2. Click Ignore Rules → Add Ignore Rule.
  3. Choose the condition "If the dependency has Package Labels assigned".
  4. Select the appropriate labels and complete the form.

You can then see existing label-based Ignore Rules alongside other rules on the Ignore Rules page; Ignore Rules are accessible from any "Issues" page in the app.

Reporting and Filtering with Labels

Package Labels don't just enable you to build Ignore Rules to reduce unnecessary alerts. They also make it easy to generate reports that include your intended scope of dependencies.

You can generate reports including label data by selecting 'Package Labels' in the UI or using ?includePackageLabels=true with the API. Package Labels will appear in-line with each package in the report.

Dependencies across the product can be filtered using applied Package Label(s) by selecting the label(s) in the filter dropdown provided

You can also exclude packages with a specific Label(s) from your report by selecting the Package Labels to exclude from the dropdown in the UI.

Get Started with Package Labels

To get started with Package Labels:

  1. With the FOSSA API: Full label management is available via FOSSA's API documentation.
  2. With the FOSSA CLI: Labels can be added via the fossa-deps file — click here for more details.

Package Labels is currently available only to Business and/or Enterprise tier FOSSA customers. If you are a current FOSSA customer, please reach out to your customer success contact with any questions or for more information. If you aren't a current FOSSA user but are interested in demoing the feature, please get in touch with our team.

Subscribe to our newsletter

Get the latest insights on open source license compliance and security delivered to your inbox.