
Show HN: Fossa-cli – Fast and reliable dependency analysis for any codebase - XiZhao
https://github.com/fossas/fossa-cli?top
======
andmarios
This looks great, alas I am unable to test it.

When I try to sign up, they want write access to my repos, to the org repos I
am a member off, etc. Let's make this clear: I am not giving to anyone write
access to my repos and certainly not to other people repos. Read permissions
should be enough. You want to add something to my repo? Do a PR.

So what remains, is to test the command line app without using the online
service. But the documentation is bad, so I am not able to do that either. No
docs for scala, when trying with go, I get cryptic errors, like 'no supported
Go build tools detected' until I install a third party go binary (godep or
govendor) and 'could not find Go project folder (maybe your Go build tool is
not supported?)'.

The idea is great, the execution needs some work.

~~~
XiZhao
Unfortunately, the permissions issue is a limitation of Github's Oauth API.
There's no way to ask for "read-only" permissions using their current
integration scheme.

You can, however get a FOSSA API key without signing up for Github -- just
register with an email here:
[https://app.fossa.io/account/register](https://app.fossa.io/account/register)

Thanks! I filed a ticket for sbt documentation here:
[https://github.com/fossas/fossa-
cli/issues/105](https://github.com/fossas/fossa-cli/issues/105).

For Golang, you need to be running the cli in a repo within your gopath; we
should have some better feedback for it however. I opened another issue here
([https://github.com/fossas/fossa-
cli/issues/106](https://github.com/fossas/fossa-cli/issues/106)), anything you
can contribute?

~~~
andmarios
Thanks for the quick reply! Happy to see I can test this without giving github
access.

Still have some issues, hope I will work them out.

------
achou
I like that FOSSA scans FOSSA. Here's the link from the "license scan" badge
on github:
[https://app.fossa.io/projects/git%2Bgithub.com%2Ffossas%2Ffo...](https://app.fossa.io/projects/git%2Bgithub.com%2Ffossas%2Ffossa-
cli/refs/branch/master/abc139975f7d6e9d8b43648782065bec02a9ffd3)

~~~
aequitas
Imho, eating your own dog food is one higher virtues of software development
(although I wouldn't recommend it in real life due to dog food vs human food
quality standards).

Having to use your own product or process (eg, Github PR workflow) makes you
aware of the problems and painpoints it might bring onto others, often
resulting in better product.

~~~
aidenn0
The fact that it is so effective is IMO why so many open source development
tools are much higher quality than non development tools.

------
mypitch
Impressive work. It takes courage to tackle the over-complicated compliance
area - a headache to a lot of startup owners including myself. Thanks for
simplifying the annoying compliance verification & maintenance processes and
make it accessible to everyone.

------
ibdf
Fun fact, in Portuguese Fossa means cesspool but hopefully this was named
after the animal ;)

~~~
mkarnicki
I couldn't help but think: "For Open Source Software Analysis"

------
helb
Nice looking website! I believe i've encountered some broken links:

\- the _" Upload Build Scan"_ button links to Readme on Github, is it
intentional?

\- GitLab logo (under " _WORKFLOW TOOLS_ ") links to Bitbucket/Stash docs
instead of [https://fossa.io/docs/integrating-
tools/gitlab/](https://fossa.io/docs/integrating-tools/gitlab/)

And the constantly changing window title (" _Kevin says…_ ") makes me want to
close the tab. Also:

 _> Install the latest Github Release using curl_

Nope.

------
wink
I don't get it - looking at the example at [https://github.com/fossas/fossa-
cli?top#quick-start](https://github.com/fossas/fossa-cli?top#quick-start) \-
that's hardly more telling than looking at the original dependency file?

Maybe there should be a (more prominent?) link to that rich, hosted example
report :)

------
cjp
> for any codebase

> Supports over 15+ languages & environments (JavaScript, Java, Ruby, Golang,
> PHP, etc...)

The title here is overly broad, bordering on click bait. I suggest it be
edited to "for several popular languages".

------
julienchastang
+1 for Python ([https://github.com/fossas/fossa-
cli/issues/13](https://github.com/fossas/fossa-cli/issues/13))

------
tnhmen
XiZhao any links that explains tool like I am 5(in a programming sense)? The
tool feels like of importance to my current java project.

------
johnnyo
Step One: Get low level developers to upload evidence of major corporate
license violations to your server.

Step Two: Sell evidence to legal firms.

Step Three: Profit.

This seems very risky from a company perspective.

~~~
XiZhao
Kevin from FOSSA here -- I hope it's clear that this would be completely
against our policies and business model. However, if you're truly worried
about this, you can install a fully on-prem version of FOSSA. Use of
app.fossa.io with fossa-cli is also an opt-in feature, so by default you're
not sending us any data.

Secondly, we deal entirely with 3rd-party code, so the licensing issues and
risks are already completely public. If there was truly a malicious actor,
they would just scan popular third party modules and reach out to companies
that had job postings or github pages that were active in those environments
(i.e. scan npm packages and target JS developers).

But in the spirit of good development practices, "security by obscurity"
hasn't proved to be an effective strategy. We'd prefer not to promote "legal
by obscurity" either. :)

~~~
johnnyo
I don’t see that as against your business model at all.

You could build up a large database of say, violations of Oracle licenses,
then get Oracle to buy out your company.

You’d make a quick buck, and your users would be left holding the bag.

How do you mitigate against these type of threats to your users?

~~~
XiZhao
I think it's pretty clear that extorting your customers is an awful business
idea. ;)

~~~
johnnyo
That doesn’t answer the question at all. What’s stopping a big IP firm from
buying your company for the database of license violations?

~~~
ilikebits
You can run an on-premises instance.

