Reports

FossID allows creating different types of reports based on the scan contents, match results and identifications made during an audit:

• SPDX: The Software Package Data Exchange (SPDX) specification is a standard format for communicating, among other things, the components, licenses and copyrights associated with software packages. This report type will result in an SPDX conformant XML file.
• SPDX Lite: The SPDX Lite profile is a subset of the SPDX specification. This report type will result in an XLSX file.
• Excel: An MS Excel file with information about licenses, components, vulnerabilities, identifcations, etc. organized into sheets.
• CycloneDX: CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. This report type will result in an CycloneDX conformant JSON file.
• Basic Report: A static and simpler HTML based software inventory of open source components, licenses and vulnerabilities as well as available dependency information.
• Signature Scan Report: An interactive HTML report displaying the top matched component for each scanned file without any identifications/audit work being necessary. It does not include information about dependencies.
• Notice File: A collection of license and copyright notice texts extracted from the files or components in the scan in plain text format.
• String Match Report: A list of files matching the applied String Match rules for the current scan.

Important:

Since release 23.1 all types of reports are generated in the background. After finishing the report generation a user gets a notification with a link to download a report. To get a correct link, the FossID config option webapp_base_url is mandatory.

webapp_base_url = https://mycompany.com/index.php

Report options

There are a few options that will affect the contents of the reports. Options that are not applicable for a certain report type will not be displayed.

Identification status filter options

• Include all files: Files will be included in the report regardless of identification status.
• Include files with pending identifications only: Only files with remaining pending identifications will be included.
• Include files marked as identified only: Only files marked as identified will be included.

License/component filter options

• Include all licenses: Components, vulnerabilities, and identifications will be included for files regardless of license.
• Include licenses marked as FOSS only: Components, vulnerabilities, and identifications will be included for files where the license is marked with “FOSS” only.
• Include licenses marked for report inclusion only: Components, vulnerabilities, and identifications will be included for files where the license is marked with “Include in Report” only.
• Include licenses marked as copyleft only: Components, vulnerabilities, and identifications will be included for files where the license is marked with “Is copyleft” only.
• Include components with known vulnerabilities only: Components and vulnerabiltities will be included for components used in identifications that also have known vulnerabilities. Individual file identificaiton will not be included.

Notice File

• File level - text: Text file of License and Copyright notices extracted from source code files in the scan.
• Component level - text: Text file of License and Copyright notices extracted from components in the scan.
• Aggregate level - excel: MS Excel file of License and Copyright notices extracted from source code files and components in the scan.
• Aggregate level - text: Text file of License and Copyright notices extracted from source code files and components in the scan.

Note that these filter options will not affect reported dependency analysis results at all.

Disclaimer option

• Add custom disclaimer: This text will be added at the end of the report.

License markings