We are excited to announce the release of our revamped CLI! The new CLI will make FOSSA integrations easier to deploy by reducing the amount of configuration needed by users. This represents a major step in our journey to enabling turnkey deployment on as many build systems and codebases as possible.
In this blog, we’ll highlight some of the specific improvements and features you can expect with the new CLI.
Improvements
New Build Manager Support
Our new CLI has added support for the following build managers and languages:
- Swift Package Manager (for Swift)
- Pub (for Flutter and Dart)
- Poetry (for Python)
- Mix (for Elixir)
- Fortran Package Manager (for Fortran)
Improved Accuracy
Analysis strategies have substantive improvements in correctness and reliability across all language integrations. The new version has much stronger compile-time correctness guarantees in its parsers.
Stronger Debug Logging
Our new CLI has improved debug logging, including a new feature called "replay logging," which allows developers to perfectly reproduce a bug report given a replay log. This is made possible by stronger compile-time guarantees that ensure all effects that occur during analysis are logged for replay.
Automatic Analysis Target Discovery
The new CLI now does automatic analysis target discovery when you run fossa analyze
without requiring fossa init
. The CLI now automatically selects the optimal strategy for analysis targets given the current environment (e.g. whether a build tool is available).
New Fossa-Deps Configuration Support
When working with a package manager that is not supported, or when you have a custom and non-standard dependency management solution, we now support :
- License scanning vendor dependencies
- Analyzing archives that are located at a specific web address (e.g. https://my-deps-source/v1.zip)
- Manually specifying dependency by its name and license (e.g. my-custom-dep with MIT License)
- Manually specifying dependency for analysis by its name and dependency type (e.g. pip dependency: request)
Please refer to fossa-deps documentation for more details.
How to Upgrade to the New FOSSA CLI
1. Remove Calls to fossa init
Since analysis targets are now automatically discovered during analysis, fossa init
is no longer a valid command. Instead, fossa init
is currently a no-op that emits a warning. It may be removed in a future release.
2. Migrate Your .fossa.yml
File
We've made major breaking changes in the .fossa.yml
file format for the new CLI to improve clarity. Customers need to migrate their 1.x .fossa.yml
to the new format (3.x) for their configurations to apply. .fossa.yml
for 1.x will be ignored when running the CLI with version greater than 1.x. We determine whether a configuration file is compatible by examining its version
field.
.fossa.yml
with version field value of 1 and 2 are for 1.x..fossa.yml
with version field value of 3 are for 3.x, and 2.x.
For documentation on the new configuration file format, click here.
Migrate "Archive Upload" Targets
With the new CLI, archive uploads are no longer a special analysis target type. Instead, you can use our general support for manually specified dependencies to specify local dependencies.
Getting Help with Your Migration
Information about breaking changes and deprecated commands can be found here.
If you are integrating a private project and want to share more details, or if you're a FOSSA customer with priority support, you can also email support@fossa.com or file a ticket at support.fossa.com for assistance.