We are excited to announce the release of our revamped CLI! The new CLI will make FOSSA integrations easier to deploy by reducing the amount of configuration needed by users. This represents a major step in our journey to enabling turnkey deployment on as many build systems and codebases as possible.

In this blog, we’ll highlight some of the specific improvements and features you can expect with the new CLI.


New Build Manager Support

Our new CLI has added support for the following build managers and languages:

Improved Accuracy

Analysis strategies have substantive improvements in correctness and reliability across all language integrations. The new version has much stronger compile-time correctness guarantees in its parsers.

Stronger Debug Logging

Our new CLI has improved debug logging, including a new feature called "replay logging," which allows developers to perfectly reproduce a bug report given a replay log. This is made possible by stronger compile-time guarantees that ensure all effects that occur during analysis are logged for replay.

Automatic Analysis Target Discovery

The new CLI now does automatic analysis target discovery when you run fossa analyze without requiring fossa init. The CLI now automatically selects the optimal strategy for analysis targets given the current environment (e.g. whether a build tool is available).

New Fossa-Deps Configuration Support

When working with a package manager that is not supported, or when you have a custom and non-standard dependency management solution, we now support :

  • License scanning vendor dependencies
  • Analyzing archives that are located at a specific web address (e.g. https://my-deps-source/v1.zip)
  • Manually specifying dependency by its name and license (e.g. my-custom-dep with MIT License)
  • Manually specifying dependency for analysis by its name and dependency type (e.g. pip dependency: request)

Please refer to fossa-deps documentation for more details.

How to Upgrade to the New FOSSA CLI

1. Remove Calls to fossa init

Since analysis targets are now automatically discovered during analysis, fossa init is no longer a valid command. Instead, fossa init is currently a no-op that emits a warning. It may be removed in a future release.

2. Migrate Your .fossa.yml File

We've made major breaking changes in the .fossa.yml file format for the new CLI to improve clarity. Customers need to migrate their 1.x .fossa.yml to the new format (3.x) for their configurations to apply. .fossa.yml for 1.x will be ignored when running the CLI with version greater than 1.x. We determine whether a configuration file is compatible by examining its version field.

  • .fossa.yml with version field value of 1 and 2 are for 1.x.
  • .fossa.yml with version field value of 3 are for 3.x, and 2.x.

For documentation on the new configuration file format, click here.

Migrate "Archive Upload" Targets

With the new CLI, archive uploads are no longer a special analysis target type. Instead, you can use our general support for manually specified dependencies to specify local dependencies.

Getting Help with Your Migration

Information about breaking changes and deprecated commands can be found here.

If you are integrating a private project and want to share more details, or if you're a FOSSA customer with priority support, you can also email support@fossa.com or file a ticket at support.fossa.com for assistance.