We're excited to share two new features that will help FOSSA users identify and mitigate the risks in their software supply chain more quickly and efficiently.

1. C/C++ Scanning

One of our main objectives is to ensure the broadest coverage of open source, and we are excited to announce the private beta of support for C/C++ license and vulnerability scanning.

C and C++ are among the most popular languages in the world because of their performance, efficiency, stability, and portability. They’re used in software infrastructure and resource-constrained applications, including desktop applications, video games, servers, and performance-critical applications.

However, identifying dependencies and vulnerabilities in C/C++ has an extra layer of complexity because, unlike most other languages, there is no standardized package management. This means there’s no single source of truth to use when identifying dependencies.

Users will now be able to scan C/C++ projects with the FOSSA CLI to get a comprehensive inventory of their dependencies. This sets the foundation for accurately identifying compliance and security risk in your open source supply chain.

Click here to learn how this works.

To join the beta, please submit your request here so our team can assess your requirements. We are looking for your help and feedback to make sure we are building the right features that provide value to our customers.

2. Generating SBOMs via the FOSSA CLI

SBOMs have emerged as a foundational step to securing your software supply chain. As the best-in-class software bill of materials vendor, we are excited to announce the ability to generate SBOMs from FOSSA CLI. Teams will now have a quick and simple way to generate SBOMs giving them the list of all their dependencies in the commonly used SPDX format.

Here’s how to get started.

  1. Once you have your FOSSA account, download and set up the CLI.

  2. Next, export your API key.
    export FOSSA_API_KEY=XXXXX

  3. Then, run the below command to generate an SBOM in the SPDX format.
    fossa analyze && fossa report attribution --format spdx

  4. This command will produce results similar to the screenshot below

An SBOM generated in SPDX format

This process usually takes only a few minutes.

Additionally, we will be adding support for the CycloneDX export format  in the coming months to make it even easier to get started with SBOM generation.

These features reflect our commitment to expand our platform to help our customers strengthen their software supply chain.