Fossa supports Java and Scala code via the most common build systems:
FOSSA relies on default Maven-compatible configurations, therefore Ant projects and Ivy dependences (i.e. through Sbt) are currently not supported.
Project settings config is accessible and editable from the projects page (http://<fossa-host>/projects/<project>/settings/languages).
environment variables used during project build is configurable via Project Settings > Builds and Languages > General.
maven profiles and
gradle configuration file used during project build is configurable via Project Settings > Builds and Languages > Java.
Dependency Scope can be limited via Project Settings > Builds and Languages > Java (see above image) making Fossa reduce the number of dependencies it displays and uses during issue analysis. If not limited, all dependencies are included.
The Maven build system (http://maven.apache.org/) pulls in dependencies based on:
Fossa derives dependencies by building your project and seeing which dependencies are brought in. Other metadata is fetched directly from repositories.
Here's some of the metadata that's pulled in:
Optional dependencies are included in analysis and are grok'ed by Fossa. The optional dependencies are tagged as
Optional by Fossa and are not included beyond depth 1.
Dependency Scope is included in analysis and is selectable in Fossa. Choosing different project scopes allows you to choose which dependencies are included in issue scans and in the UI.
Dependencies that are excluded transitively are also grok'ed by Fossa. If a transitive dependency is expicitly excluded, Fossa will exclude that dependency from its issue scans and in the UI. If another dependency brings in the excluded transitive dependency, then it will be included. These excludes are scoped to dependencies, not projects.
The Scala build tool (http://www.scala-sbt.org/) pulls in dependencies from several kinds of repositories. FOSSA can scan them if they are published in the Maven-compatible file layout (default). FOSSA does not yet support artifacts in the Ivy file layout.
The Gradle build system (https://docs.gradle.org/) pulls in dependencies based on the repository it's pulling from:
The metadata pulled in is similar to maven:
Gradle properties can be set via environment variables as defined above. Gradle property names should be prefixed with
ORG_GRADLE_PROJECT_ as per the gradle documentation.
See the Maven section for more detail.