2025 is almost here, but the FOSSA product and engineering teams have continued to work hard on delivering new functionality to help our customers manage SBOMs, vulnerabilities, and open source license compliance.
This product updates blog will cover new support for an important open source license compliance use case, expanded options for managing compliance with FDA requirements, and more. Some of these product updates are available to all FOSSA users (e.g. the ability to recreate NOTICE files and expanded ecosystem coverage), while some are available only to users with a paid subscription.
We encourage existing FOSSA customers looking for more information about these features to contact your customer customer success representative. If you aren’t currently a FOSSA user, you can get started by signing up here.
Automating NOTICE File Recreation
As part of our mission to automate as much of the open source license compliance management process as possible, FOSSA has released new support for NOTICE file recreation. This complements our existing license attribution files that have long made it easy to produce complete license notice files.
The ability to recreate NOTICE files is important because some open source licenses — the Apache License 2.0 in particular — require it. Apache 2.0, one of the world’s most commonly used open source licenses, states in part:
“...If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file…”
When FOSSA scans a project, it searches for a NOTICE.txt file within the project's components. If it identifies one, it will reproduce the contents of the file both within the FOSSA app and in your attribution report.
To the best of our knowledge, we’re now the only tool that will automatically handle NOTICE file reproduction.
Simplifying Component Support Status Disclosure for FDA SBOM Compliance
The FDA’s SBOM requirements include a provision mandating organizations to communicate the level of support for all software components in a given medical device. While this is often relatively straightforward for commercially provided software, it can be very challenging for open source components.
To help our medical device customers manage FDA compliance, we recently introduced an automated workflow that enriches SBOMs with level-of-support status. FOSSA automatically adds this information — either that a component is “maintained” or “abandoned” — based on our analysis. This capability, alongside support for end-of-life and complete SBOM management features, provides a comprehensive and low-friction way for medical device manufacturers to fulfill FDA requirements.
Introducing Recursive Detection for Jars in Containers
Organizations that use FOSSA to scan containers and manage container licensing and security issues will benefit from new functionality related to detecting JAR files. If FOSSA identifies a JAR file in a container, we’ll fingerprint match that file against Maven Central to identify the package. FOSSA will then analyze the package for licenses and vulnerabilities.
This improvement will provide more comprehensive container scanning results, and, as such, better SBOM, license compliance, and vulnerability management for containers.
Announcing FOSSA Business Tier
In case you missed it, FOSSA recently launched our new business tier: license compliance, SBOM, and vulnerability management designed for smaller organizations and teams. Business tier has five different subscription levels designed to meet the budgetary needs of every business — while being the easiest to implement and use option on the market today. Please reference our blog announcement or pricing page for more details.
Using FOSSA’s New Features and Capabilities
Existing FOSSA users can feel free to reach out to your customer success contacts for more information on these product updates or guidance on using the new features. If you aren’t a FOSSA customer, get started by signing up for our free product or scheduling an enterprise demo.