In order to use these strategies special options must be provided to the CLI. See the linked documentation above for details.
Languages supported by FOSSA CLI can have multiple strategies for detecting dependencies, one primary strategy that yields ideal results and zero or more fallback strategies. Within this list of strategies, we have the concept of static and dynamic strategies. Static strategies parse files to find a dependency graph (example: parse a package-lock.json file). Dynamic strategies are required when analyzing package managers that do not offer complete lockfiles, such as Gradle or Go. Dynamic strategies require a working build environment to operate in.
Running the tool with all possible strategies enabled is recommended, but if you need to limit FOSSA CLI to only use static strategies the CLI offers the --static-only-analysis flag.
This flag prevents FOSSA CLI from using any third party tools, such as npm, pip, maven plugins, etc.
With this option enabled, strategies that don't offer a way to analyze statically will fail with an error.
It is important to note that neither type of strategy has an inherent benefit when detecting dependencies. If a supported language has only a static or only a dynamic strategy, this does not mean it is less supported than a language that has both.
Strict analysis enforces the use of the most accurate strategy for detecting dependencies, ensuring precise and consistent results by rejecting fallback methods that may offer less reliable detection.
For example, in Maven projects, FOSSA CLI attempts analysis with the following strategy order:
- Run the mavenplugin strategy, which provides the most accurate dependency information.
- If that fails, it attempts the treecmd strategy, which parses the output of the
mvn dependency:treecommand. - Finally, it falls back to the pomxml strategy, scanning pom.xml files for dependencies.
However, with the --strict flag, only the mavenplugin strategy will be used. If the mavenplugin command fails, FOSSA will not attempt the treecmd or pomxml methods. This ensures that your Maven analysis relies solely on the most precise and validated strategy.
Invoke strict analysis with the --strict flag when running fossa analyze.
If the FOSSA CLI is forced to utilize a fallback strategy, meaning it did not detect ideal results, a warning is emitted in the scan summary after running
fossa analyze.
| Language/Package Manager | Dynamic | Static | Detect Vendored Code | Primary Strategy |
|---|---|---|---|---|
| C# | ✅ | ✅ | ❌ | Dynamic |
| C | ✅ | None | ||
| C++ | ✅ | None | ||
| Clojure (leiningen) | ✅ | ❌ | ❌ | Dynamic |
| Dart (pub) | ✅ | ✅ | ❌ | Dynamic |
| Elixer (mix) | ✅ | ❌ | ❌ | Dynamic |
| Erlang (rebar3) | ✅ | ❌ | ❌ | Dynamic |
| Fortran | ❌ | ✅ | ❌ | Static |
| Go (dep) | ❌ | ✅ | ❌ | Static |
| Go (glide) | ❌ | ✅ | ❌ | Static |
| Go (gomodules) | ✅ | ✅ | ❌ | Dynamic |
| Gradle | ✅ | ❌ | ❌ | Dynamic |
| Haskell (cabal) | ✅ | ❌ | ❌ | Dynamic |
| Haskell (stack) | ✅ | ❌ | ❌ | Dynamic |
| iOS (carthage) | ❌ | ✅ | ❌ | Static |
| iOS (cocoapods) | ❌ | ✅ | ❌ | Static |
| iOS (swift) | ❌ | ✅ | ❌ | Static |
| Maven | ✅ | ✅ | ❌ | Dynamic |
| NodeJS (NPM/Yarn/pnpm) | ❌ | ✅ | ❌ | Static |
| Perl | ❌ | ✅ | ❌ | Static |
| PHP (Composer) | ❌ | ✅ | ❌ | Static |
| Python (Conda) | ✅ | ✅ | ❌ | Dynamic |
| Python (Pipenv) | ✅ | ✅ | ❌ | Dynamic |
| Python (Poetry) | ❌ | ✅ | ❌ | Static |
| Python (Pdm) | ❌ | ✅ | ❌ | Static |
| Python (setup.py/requirements.txt) | ✅ | ✅ | ❌ | Dynamic |
| R (renv) | ❌ | ✅ | ❌ | Static |
| Ruby (bundler) | ✅ | ✅ | ❌ | Static |
| Rust (cargo) | ✅ | ❌ | ❌ | Dynamic |
| Scala (sbt) | ✅ | ❌ | ❌ | Dynamic |