When I try to sign up, they want write access to my repos, to the org repos I am a member off, etc.
Let's make this clear: I am not giving to anyone write access to my repos and certainly not to other people repos. Read permissions should be enough. You want to add something to my repo? Do a PR.
So what remains, is to test the command line app without using the online service. But the documentation is bad, so I am not able to do that either. No docs for scala, when trying with go, I get cryptic errors, like 'no supported Go build tools detected' until I install a third party go binary (godep or govendor) and 'could not find Go project folder (maybe your Go build tool is not supported?)'.
The idea is great, the execution needs some work.
You can, however get a FOSSA API key without signing up for Github -- just register with an email here: https://app.fossa.io/account/register
Thanks! I filed a ticket for sbt documentation here: https://github.com/fossas/fossa-cli/issues/105.
For Golang, you need to be running the cli in a repo within your gopath; we should have some better feedback for it however. I opened another issue here (https://github.com/fossas/fossa-cli/issues/106), anything you can contribute?
Still have some issues, hope I will work them out.
I followed @XiZhao's advise and managed to sign up without giving access to github which is very good.
If I want to have scans run automatically on github projects, I still have to grant write access. The other option is to run the tests myself, which probably is what someone in a professional setup will do anyway, so I think it is not a very serious issue, although it would be nice to be fixed.
Great project overall and I am sure it will be a success, because I know firsthand how cumbersome can be to do this important task manually.
Having to use your own product or process (eg, Github PR workflow) makes you aware of the problems and painpoints it might bring onto others, often resulting in better product.
- the "Upload Build Scan" button links to Readme on Github, is it intentional?
- GitLab logo (under "WORKFLOW TOOLS") links to Bitbucket/Stash docs instead of https://fossa.io/docs/integrating-tools/gitlab/
And the constantly changing window title ("Kevin says…") makes me want to close the tab. Also:
> Install the latest Github Release using curl
Maybe there should be a (more prominent?) link to that rich, hosted example report :)
The title here is overly broad, bordering on click bait. I suggest it be edited to "for several popular languages".
Step Two: Sell evidence to legal firms.
Step Three: Profit.
This seems very risky from a company perspective.
Secondly, we deal entirely with 3rd-party code, so the licensing issues and risks are already completely public. If there was truly a malicious actor, they would just scan popular third party modules and reach out to companies that had job postings or github pages that were active in those environments (i.e. scan npm packages and target JS developers).
But in the spirit of good development practices, "security by obscurity" hasn't proved to be an effective strategy. We'd prefer not to promote "legal by obscurity" either. :)
You could build up a large database of say, violations of Oracle licenses, then get Oracle to buy out your company.
You’d make a quick buck, and your users would be left holding the bag.
How do you mitigate against these type of threats to your users?
Disclaimer: I work for FOSSA.
It’s a very real risk of using the service.