Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strict mode #1463

Merged
merged 11 commits into from
Sep 13, 2024
Merged

Strict mode #1463

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a9e5c5e
Draft implementation of strict mode
JeffreyHuynh1 Aug 18, 2024
607778f
Merge branch 'master' into strict-mode
JeffreyHuynh1 Aug 29, 2024
7ff15c0
Implementation changes. Fix tests
JeffreyHuynh1 Aug 30, 2024
2fdea92
Update docs
JeffreyHuynh1 Aug 30, 2024
e8c9444
fix tests
JeffreyHuynh1 Aug 30, 2024
502768a
address pr comments
JeffreyHuynh1 Sep 6, 2024
6103f34
Merge branch 'master' into strict-mode
JeffreyHuynh1 Sep 6, 2024
b72f305
update tests
JeffreyHuynh1 Sep 6, 2024
d2811f9
lint
JeffreyHuynh1 Sep 6, 2024
05f218d
update test
JeffreyHuynh1 Sep 7, 2024
dec0fc0
Update docs
JeffreyHuynh1 Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# FOSSA CLI Changelog

## 3.9.34

- `--strict`: Users can now enable strict mode for analysis. ([#1463](https://github.com/fossas/fossa-cli/pull/1463))

## 3.9.33

Expand Down
16 changes: 15 additions & 1 deletion docs/references/strategies/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,12 +129,26 @@ With this option enabled, strategies that don't offer a way to analyze staticall

It is important to note that neither type of strategy has an inherent benefit when detecting dependencies. If a supported language has only a static or only a dynamic strategy, this does not mean it is less supported than a language that has both.

## Strict Analysis

Strict analysis enforces the use of the most accurate strategy for detecting dependencies, ensuring precise and consistent results by rejecting fallback methods that may offer less reliable detection.

For example, in Maven projects, FOSSA CLI attempts analysis with the following strategy order:

1. Run the [mavenplugin](../strategies/languages/maven/mavenplugin.md) strategy, which provides the most accurate dependency information.
2. If that fails, it attempts the [treecmd](../strategies/languages/maven/treecmd.md) strategy, which parses the output of the `mvn dependency:tree` command.
3. Finally, it falls back to the [pomxml](../strategies/languages/maven/pomxml.md) strategy, scanning pom.xml files for dependencies.

However, with the `--strict` flag, only the `mavenplugin` strategy will be used. If the `mavenplugin` command fails, FOSSA will not attempt the `treecmd` or `pomxml` methods. This ensures that your Maven analysis relies solely on the most precise and validated strategy.

Invoke strict analysis with the `--strict` flag when running `fossa analyze`.

### Strategies by type

> If the FOSSA CLI is forced to utilize a fallback strategy, meaning it did not detect ideal results, a warning is emitted in the scan summary after running `fossa analyze`.

| Language/Package Manager | Dynamic | Static | Detect Vendored Code | Primary Strategy |
| ----------------------------------------------------------------------------------------------------------------------------------------------- | --------- | --------- | -------------------- | ---------------- |
|-------------------------------------------------------------------------------------------------------------------------------------------------|-----------|-----------|----------------------|------------------|
| [C#](https://github.com/fossas/fossa-cli/tree/master/docs/references/strategies/languages/dotnet) | ✅ | ✅ | ❌ | Dynamic |
| [C](https://github.com/fossas/fossa-cli/tree/master/docs/references/strategies/languages/c-cpp/c-cpp.md) | :warning: | :warning: | ✅ | None |
| [C++](https://github.com/fossas/fossa-cli/tree/master/docs/references/strategies/languages/c-cpp/c-cpp.md) | :warning: | :warning: | ✅ | None |
Expand Down
45 changes: 23 additions & 22 deletions docs/references/subcommands/analyze.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,26 +13,26 @@ For supported command-line flags, use `fossa analyze --help`

In addition to the [usual FOSSA project flags](#common-fossa-project-flags) supported by all commands, the analyze command supports the following FOSSA-project-related flags:

| Name | Short | Description |
| ------------------------------------- | ----- | ----------------------------------------------------------------------------------- |
| `--title 'some title'` | `-t` | Set the title of the FOSSA project |
| `--branch 'some branch'` | `-b` | Override the detected FOSSA project branch |
| `--project-url 'https://example.com'` | `-P` | Add a URL to the FOSSA project |
| `--jira-project-key 'some-key'` | `-j` | Add a Jira project key to the FOSSA project |
| `--link 'https://example.com'` | `-L` | Attach a link to the current FOSSA build |
| `--team 'some team'` | `-T` | Specify a team within your FOSSA organization |
| `--policy 'some policy'` | | Assign a specific FOSSA policy to this project. Mutually excludes `--policy-id`. |
| `--policy-id 'some policy id'` | | Assign a specific FOSSA policy to this project by id. Mutually excludes `--policy`. |
| `--project-label` | | assign up to 5 labels to the project |
| `--release-group-name 'MY_RG'` | | add the project to this release group (also requires `--release-group-release`) |
| `--release-group-release 'MY_RELEASE'`| | add the project to this release version within the release group |
| Name | Short | Description |
|----------------------------------------|-------|-------------------------------------------------------------------------------------|
| `--title 'some title'` | `-t` | Set the title of the FOSSA project |
| `--branch 'some branch'` | `-b` | Override the detected FOSSA project branch |
| `--project-url 'https://example.com'` | `-P` | Add a URL to the FOSSA project |
| `--jira-project-key 'some-key'` | `-j` | Add a Jira project key to the FOSSA project |
| `--link 'https://example.com'` | `-L` | Attach a link to the current FOSSA build |
| `--team 'some team'` | `-T` | Specify a team within your FOSSA organization |
| `--policy 'some policy'` | | Assign a specific FOSSA policy to this project. Mutually excludes `--policy-id`. |
| `--policy-id 'some policy id'` | | Assign a specific FOSSA policy to this project by id. Mutually excludes `--policy`. |
| `--project-label` | | assign up to 5 labels to the project |
| `--release-group-name 'MY_RG'` | | add the project to this release group (also requires `--release-group-release`) |
| `--release-group-release 'MY_RELEASE'` | | add the project to this release version within the release group |

### Filtering Paths and Targets

The paths and targets filtering options allow you to specify the exact targets which be should be scanned.

| Name | Description |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
|----------------------------------|--------------------------------------------------------------------------------------------------------------------------|
| `--only-target` | Only scan these targets. See [targets.only](../files/fossa-yml.md#targets.only) in the fossa.yml spec. |
| `--exclude-target` | Exclude these targets from scanning. See [targets.exclude](../files/fossa-yml.md#targets.exclude) in the fossa.yml spec. |
| `--only-path` | Only scan these paths. See [paths.only](../files/fossa-yml.md#paths.only) in the fossa.yml spec. |
Expand Down Expand Up @@ -77,7 +77,7 @@ fossa analyze --fossa-deps-file /path/to/file
The Vendored Dependencies feature allows you to scan for licenses directly in your code. For more information, please see the [Vendored Dependencies documentation](../../features/vendored-dependencies.md).

| Name | Description |
| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--force-vendored-dependency-scan-method` | Force the vendored dependency scan method. The options are 'CLILicenseScan' or 'ArchiveUpload'. 'CLILicenseScan' is usually the default unless your organization has overridden this. |
| `--force-vendored-dependency-rescans` | Force vendored dependencies to be rescanned even if the revision has been previously analyzed by FOSSA. This currently only works for CLI-side license scans. |

Expand Down Expand Up @@ -128,11 +128,12 @@ We support the following archive formats:

In addition to the [standard flags](#specifying-fossa-project-details), the analyze command supports the following additional strategy flags:

| Name | Description |
| --------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [`--detect-vendored`](./analyze/detect-vendored.md) | Enable the vendored source identification engine. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
| [`--detect-dynamic './some-binary`](./analyze/detect-dynamic.md) | Analyze the binary at the provided path for dynamically linked dependencies. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
| [`--static-only-analysis`](../strategies/README.md#static-and-dynamic-strategies) | Do not use third-party tools when analyzing projects. |
| Name | Description |
|-----------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [`--detect-vendored`](./analyze/detect-vendored.md) | Enable the vendored source identification engine. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
| [`--detect-dynamic './some-binary`](./analyze/detect-dynamic.md) | Analyze the binary at the provided path for dynamically linked dependencies. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
| [`--static-only-analysis`](../strategies/README.md#static-and-dynamic-strategies) | Do not use third-party tools when analyzing projects. |
| `--strict` | Enforces strict analysis to ensure the most accurate results by rejecting fallbacks. When run with `--static-only-analysis`, the most optimal static strategy will be applied without fallbacks. |


### Experimental Options
Expand All @@ -142,7 +143,7 @@ _Important: For support and other general information, refer to the [experimenta
In addition to the [standard flags](#specifying-fossa-project-details), the analyze command supports the following experimental flags:

| Name | Description |
| ---------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [`--experimental-enable-binary-discovery`](../experimental/binary-discovery/README.md) | Enable reporting binary files as unlicensed dependencies. For more information, see the [binary discovery overview](../experimental/binary-discovery/README.md). |
| [`--experimental-link-project-binary './some-dir'`](../experimental/msb/README.md) | Link the provided binary files to the project being analyzed. For more information, see the [multi stage builds overview](../experimental/msb/README.md). |
| [`--experimental-skip-vsi-graph 'custom+1/some$locator'`](../experimental/msb/README.md) | Skip resolving the dependencies of the given project that was previously linked via `--experimental-link-project-binary`. |
Expand Down Expand Up @@ -258,7 +259,7 @@ touch reqs.txt && fossa analyze && rm reqs.txt && fossa test
All `fossa` commands support the following FOSSA-project-related flags:

| Name | Short | Description |
| ---------------------------------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------- |
|------------------------------------|-------|------------------------------------------------------------------------------------------------------------------------------------------|
| `--project 'some project'` | `-p` | Override the detected project name |
| `--revision 'some revision'` | `-r` | -Override the detected project revision |
| `--fossa-api-key 'my-api-key'` | | An alternative to using the `FOSSA_API_KEY` environment variable to specify a FOSSA API key |
Expand Down
3 changes: 2 additions & 1 deletion integration-test/Analysis/CarthageSpec.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module Analysis.CarthageSpec (spec) where

import Analysis.FixtureExpectationUtils
import Analysis.FixtureUtils
import App.Types (Mode (NonStrict))
import Path
import Strategy.Carthage qualified as Carthage
import Test.Hspec
Expand All @@ -24,4 +25,4 @@ swiftQueue =

spec :: Spec
spec = do
testSuiteDepResultSummary swiftQueue CarthageProjectType (DependencyResultsSummary 1 1 0 1 Complete)
testSuiteDepResultSummary NonStrict swiftQueue CarthageProjectType (DependencyResultsSummary 1 1 0 1 Complete)
5 changes: 3 additions & 2 deletions integration-test/Analysis/ClojureSpec.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module Analysis.ClojureSpec (spec) where

import Analysis.FixtureExpectationUtils
import Analysis.FixtureUtils
import App.Types (Mode (NonStrict))
import Path
import Strategy.Leiningen qualified as Leiningen
import Test.Hspec
Expand Down Expand Up @@ -39,5 +40,5 @@ ring =

spec :: Spec
spec = do
testSuiteDepResultSummary eastwood LeiningenProjectType (DependencyResultsSummary 10 7 3 1 Complete)
testSuiteDepResultSummary ring LeiningenProjectType (DependencyResultsSummary 23 6 17 1 Complete)
testSuiteDepResultSummary NonStrict eastwood LeiningenProjectType (DependencyResultsSummary 10 7 3 1 Complete)
testSuiteDepResultSummary NonStrict ring LeiningenProjectType (DependencyResultsSummary 23 6 17 1 Complete)
6 changes: 4 additions & 2 deletions integration-test/Analysis/CocoapodsSpec.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module Analysis.CocoapodsSpec (spec) where

import Analysis.FixtureExpectationUtils
import Analysis.FixtureUtils
import App.Types (Mode (..))
import Path
import Strategy.Cocoapods qualified as Cocoapods
import Test.Hspec
Expand Down Expand Up @@ -36,5 +37,6 @@ sDWebImage =

spec :: Spec
spec = do
testSuiteDepResultSummary shadowsocksXNG CocoapodsProjectType (DependencyResultsSummary 7 6 2 1 Complete)
testSuiteDepResultSummary sDWebImage CocoapodsProjectType (DependencyResultsSummary 4 4 0 1 Partial)
testSuiteDepResultSummary NonStrict shadowsocksXNG CocoapodsProjectType (DependencyResultsSummary 7 6 2 1 Complete)
testSuiteDepResultSummary Strict shadowsocksXNG CocoapodsProjectType (DependencyResultsSummary 7 6 2 1 Complete)
testSuiteDepResultSummary NonStrict sDWebImage CocoapodsProjectType (DependencyResultsSummary 4 4 0 1 Partial)
3 changes: 2 additions & 1 deletion integration-test/Analysis/ElixirSpec.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module Analysis.ElixirSpec (spec) where

import Analysis.FixtureExpectationUtils
import Analysis.FixtureUtils
import App.Types (Mode (NonStrict))
import Effect.Exec (AllowErr (Never), Command (Command))
import Path
import Strategy.Mix qualified as Mix
Expand Down Expand Up @@ -42,4 +43,4 @@ absinthe =

spec :: Spec
spec = do
testSuiteDepResultSummary absinthe MixProjectType (DependencyResultsSummary 4 4 1 1 Complete)
testSuiteDepResultSummary NonStrict absinthe MixProjectType (DependencyResultsSummary 4 4 1 1 Complete)
5 changes: 3 additions & 2 deletions integration-test/Analysis/ErlangSpec.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module Analysis.ErlangSpec (spec) where

import Analysis.FixtureExpectationUtils
import Analysis.FixtureUtils
import App.Types (Mode (NonStrict))
import Path
import Strategy.Rebar3 qualified as Rebar3
import Test.Hspec
Expand Down Expand Up @@ -39,5 +40,5 @@ emqx =

spec :: Spec
spec = do
testSuiteDepResultSummary cowboy Rebar3ProjectType (DependencyResultsSummary 2 2 0 1 Complete)
testSuiteDepResultSummary emqx Rebar3ProjectType (DependencyResultsSummary 0 0 0 1 Complete)
testSuiteDepResultSummary NonStrict cowboy Rebar3ProjectType (DependencyResultsSummary 2 2 0 1 Complete)
testSuiteDepResultSummary NonStrict emqx Rebar3ProjectType (DependencyResultsSummary 0 0 0 1 Complete)
Loading
Loading