The FossID web application stores information for all components that have been used in identifications or otherwise added to the component database. A component generally refers to a software package of a specific version along with information about vulnerabilities, licensing, etc.
The component list
All stored components can be viewed and updated from the main menu: Components → All components. The basic information (name, license identifier, etc) can be examined directly in the list.
Detailed information can be viewed and edited by clicking on a specific entry.
Component information can be viewed by any user. Updating information for an existing component is allowed by the creator of the component, or by other users depending on certain permissions.
Components can be manually added from the main menu: Components → Add Component. After entering a component name and version in the respective fields FossID will also present the user with matching CPE identifiers. Typically, a CPE identifier should exactly match the name and the version, but if required the % character can be used as a wildcard in the version field. For example, “1.%” will match all versions starting with “1.”.
Updating the CPE identifier list
The list of CPE identifiers can be updated from the main menu: System Utils -> Update CPE List. The SYSTEM_ACCESS permission is required.
Note that the only purpose of this list, at the moment, is to automatically suggest matching CPE identifiers when manually adding components.
CLI command for updating components from KB
In order to sync local Workbench Components with data from KB, a new CLI command was added:
cd /fossid/webapp
sudo -u www-data php bin/console.php update_components_from_kb
The command accepts an argument --fields, which is optional.
--fields: Use this argument to update ONLY the chosen components fields, entered as a comma-separated list from the following: name,version,cpe,license,purl,release_date,copyright. Without this option all of these fields are updated from KB. Updating purl automatically sets Supplier/Community Name, if that field is empty.
Example of fields usage:
sudo -u www-data php bin/console.php update_components_from_kb --fields=cpe,license,purl
sudo -u www-data php bin/console.php update_components_from_kb --fields=copyright