FossID Documentation

FossID-DA Resolving Dependencies

How does FossID-DA resolve dependencies?

1. NPM Dependencies

fossid-da detects that component express-1.0.9 is an NPM dependency and then gets package information from NPM API, that is actually the package.json info:

{
  "name": "express",
  "version": "1.0.9",
  ...  
  "dependencies": {
    "connect": ">= 0.5.0 < 1.0.0",
    "qs": ">= 0.0.5"
  },
  ...
}

It detects that it has two dependencies:

  • "connect": ">= 0.5.0 < 1.0.0"
  • "qs": ">= 0.0.5"

It resolves the version interval for each dependency, in this case for connect dependency:

  • "connect": ">= 0.5.0 < 1.0.0" -> "connect": "0.5.10"

And then gets the dependencies for the resolved dependency package (connect-0.5.10):

{
    "name": "connect",
    "description": "High performance middleware framework",
    ...
    "version": "0.5.10",
    ...
    "dependencies": { "qs": ">= 0.0.6" },
    ...
  }

It then takes each dependency and resolves the version interval and further potential dependencies.

2. C/C++ Dependencies

If a lock files is detected, then the dependencies from this will be processed:

  • conanfile.txt
  • conan.lock
  • vcpkgs.json

Detected dependencies from lock files will have versions information if it is available in the lock files.

If not lock file is detected, then fossid-da will search all relevant imports statements from:

  • .cpp files
  • .hpp files
  • .h files
  • .hh files

NOTE: To activate this functionality add this option in fossid.conf:

da_cpp_import_search=1

Detected imports will be processed and checked if they match any known C/C++ components:

#include "boost/goo.h"   ===> boost - N/A
#include "fmt/goo.h"     ===> fmt - N/A
#include <algorithm>     ===> X
#include <functional>    ===> X

Every detected component from an import will have N/A version since it is difficult to detect the actual version.

3. Go Dependencies

If a lock file is detected, then the dependencies from this will be processed, and a list of dependencies will be generated with no graph connections:

  • Gopkg.lock
  • glide.lock
  • Godeps.json

Detected dependencies from lock files will have versions information.

If no lock file is detected, fossid-da will search for go.mod manifests and then resolve the first level of transitive dependencies:

github.com/go-sql-driver/mysql v1.5.0 
github.com/gorilla/mux v1.8.0 
github.com/jinzhu/gorm v1.9.16

These are the transitive dependencies for github.com/jinzhu/gorm:

github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd
github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5
github.com/go-sql-driver/mysql v1.5.0
...
github.com/lib/pq v1.1.1
github.com/mattn/go-sqlite3 v1.14.0
golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd // indirect

NOTE: To activate this functionality, add this option in fossid.conf:

; FossID-DA Git Settings
da_git_user="" ; github user
da_git_token="" ; github token
FossID Workbench Help, version 2025.1.0