Hacker News new | comments | show | ask | jobs | submit login
Show HN: Fossa-cli – Fast and reliable dependency analysis for any codebase (github.com)
104 points by XiZhao 9 months ago | hide | past | web | favorite | 29 comments

This looks great, alas I am unable to test it.

When I try to sign up, they want write access to my repos, to the org repos I am a member off, etc. Let's make this clear: I am not giving to anyone write access to my repos and certainly not to other people repos. Read permissions should be enough. You want to add something to my repo? Do a PR.

So what remains, is to test the command line app without using the online service. But the documentation is bad, so I am not able to do that either. No docs for scala, when trying with go, I get cryptic errors, like 'no supported Go build tools detected' until I install a third party go binary (godep or govendor) and 'could not find Go project folder (maybe your Go build tool is not supported?)'.

The idea is great, the execution needs some work.

Unfortunately, the permissions issue is a limitation of Github's Oauth API. There's no way to ask for "read-only" permissions using their current integration scheme.

You can, however get a FOSSA API key without signing up for Github -- just register with an email here: https://app.fossa.io/account/register

Thanks! I filed a ticket for sbt documentation here: https://github.com/fossas/fossa-cli/issues/105.

For Golang, you need to be running the cli in a repo within your gopath; we should have some better feedback for it however. I opened another issue here (https://github.com/fossas/fossa-cli/issues/106), anything you can contribute?

Thanks for the quick reply! Happy to see I can test this without giving github access.

Still have some issues, hope I will work them out.

An update, since I see some upvotes.

I followed @XiZhao's advise and managed to sign up without giving access to github which is very good. If I want to have scans run automatically on github projects, I still have to grant write access. The other option is to run the tests myself, which probably is what someone in a professional setup will do anyway, so I think it is not a very serious issue, although it would be nice to be fixed.

As for my go endeavors, I haven't yet managed to analyze my go projects, but I did have better luck with javascript and scala (gradle) which was very impressive.

Great project overall and I am sure it will be a success, because I know firsthand how cumbersome can be to do this important task manually.

This is a GitHub limitation. I get around it for other services by making a dedicated GitHub user account, granting that user read-only access, and then connecting to the 3rd-party app. It's a somewhat annoying workaround, but it works.

I like that FOSSA scans FOSSA. Here's the link from the "license scan" badge on github: https://app.fossa.io/projects/git%2Bgithub.com%2Ffossas%2Ffo...

Imho, eating your own dog food is one higher virtues of software development (although I wouldn't recommend it in real life due to dog food vs human food quality standards).

Having to use your own product or process (eg, Github PR workflow) makes you aware of the problems and painpoints it might bring onto others, often resulting in better product.

The fact that it is so effective is IMO why so many open source development tools are much higher quality than non development tools.

Ever since I realized that the "license scan: passing" badge is FOSSA, I've been seeing it on a bunch of other open source repositories, too. Like https://app.fossa.io/projects/git%2Bgithub.com%2Fwebpack%2Fw....

Impressive work. It takes courage to tackle the over-complicated compliance area - a headache to a lot of startup owners including myself. Thanks for simplifying the annoying compliance verification & maintenance processes and make it accessible to everyone.

Fun fact, in Portuguese Fossa means cesspool but hopefully this was named after the animal ;)

I couldn't help but think: "For Open Source Software Analysis"

Nice looking website! I believe i've encountered some broken links:

- the "Upload Build Scan" button links to Readme on Github, is it intentional?

- GitLab logo (under "WORKFLOW TOOLS") links to Bitbucket/Stash docs instead of https://fossa.io/docs/integrating-tools/gitlab/

And the constantly changing window title ("Kevin says…") makes me want to close the tab. Also:

> Install the latest Github Release using curl


I don't get it - looking at the example at https://github.com/fossas/fossa-cli?top#quick-start - that's hardly more telling than looking at the original dependency file?

Maybe there should be a (more prominent?) link to that rich, hosted example report :)

> for any codebase

> Supports over 15+ languages & environments (JavaScript, Java, Ruby, Golang, PHP, etc...)

The title here is overly broad, bordering on click bait. I suggest it be edited to "for several popular languages".

XiZhao any links that explains tool like I am 5(in a programming sense)? The tool feels like of importance to my current java project.

Step One: Get low level developers to upload evidence of major corporate license violations to your server.

Step Two: Sell evidence to legal firms.

Step Three: Profit.

This seems very risky from a company perspective.

Kevin from FOSSA here -- I hope it's clear that this would be completely against our policies and business model. However, if you're truly worried about this, you can install a fully on-prem version of FOSSA. Use of app.fossa.io with fossa-cli is also an opt-in feature, so by default you're not sending us any data.

Secondly, we deal entirely with 3rd-party code, so the licensing issues and risks are already completely public. If there was truly a malicious actor, they would just scan popular third party modules and reach out to companies that had job postings or github pages that were active in those environments (i.e. scan npm packages and target JS developers).

But in the spirit of good development practices, "security by obscurity" hasn't proved to be an effective strategy. We'd prefer not to promote "legal by obscurity" either. :)

I don’t see that as against your business model at all.

You could build up a large database of say, violations of Oracle licenses, then get Oracle to buy out your company.

You’d make a quick buck, and your users would be left holding the bag.

How do you mitigate against these type of threats to your users?

I think it's pretty clear that extorting your customers is an awful business idea. ;)

Unless you want to get acquired by Oracle, that is.

That doesn’t answer the question at all. What’s stopping a big IP firm from buying your company for the database of license violations?

You can run an on-premises instance.

Nothing I guess, but its opt-in...

Tell that to Larry Ellison ;)

I get that cynicism is sort of an HN thing, but this (building a SaaS company and then building and open sourcing a developer tool) seems like an incredibly expensive way to be an IP troll. There are way lower hanging fruit for IP trolling.

Disclaimer: I work for FOSSA.

Even if it wasn’t the initial goal of the company, it certainly would be a potential path forward, if the SaaS offerings ended up being unprofitable and the company was winding down.

It’s a very real risk of using the service.

If this is a serious concern for you, you can do an on-premises installation instead. In that case, none of your data ever leaves your intranet.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact