In order to use these strategies special options must be provided to the CLI. See the linked documentation above for details.
Languages supported by FOSSA CLI can have multiple strategies for detecting dependencies, one primary strategy that yields ideal results and zero or more fallback strategies. Within this list of strategies, we have the concept of static and dynamic strategies. Static strategies parse files to find a dependency graph (example: parse a package-lock.json file). Dynamic strategies are required when analyzing package managers that do not offer complete lockfiles, such as Gradle or Go. Dynamic strategies require a working build environment to operate in.
It is important to note that neither type of strategy has an inherent benefit when detecting dependencies. If a supported language has only a static or only a dynamic strategy, this does not mean it is less supported than a language that
If the FOSSA CLI is forced to utilize a fallback strategy, meaning it did not detect ideal results, a warning is emitted in the scan summary after running
fossa analyze.
| Language/Package Manager | Dynamic | Static | Detect Vendored Code | Primary Strategy |
|---|---|---|---|---|
| C# | ✅ | ✅ | ❌ | Dynamic |
| C | ✅ | ✅ | ✅ | None |
| C++ | ✅ | ✅ | ✅ | None |
| Clojure (leiningen) | ✅ | ❌ | ❌ | Dynamic |
| Dart (pub) | ✅ | ✅ | ❌ | Dynamic |
| Elixer (mix) | ✅ | ❌ | ❌ | Dynamic |
| Erlang (rebar3) | ✅ | ❌ | ❌ | Dynamic |
| Fortran | ❌ | ✅ | ❌ | Static |
| Go (dep) | ❌ | ✅ | ❌ | Static |
| Go (glide) | ❌ | ✅ | ❌ | Static |
| Go (gomodules) | ✅ | ✅ | ❌ | Dynamic |
| Gradle | ✅ | ❌ | ❌ | Dynamic |
| Haskell (cabal) | ✅ | ❌ | ❌ | Dynamic |
| Haskell (stack) | ✅ | ❌ | ❌ | Dynamic |
| iOS (carthage) | ❌ | ✅ | ❌ | Static |
| iOS (cocoapods) | ❌ | ✅ | ❌ | Static |
| Maven | ✅ | ✅ | ❌ | Dynamic |
| NodeJS (NPM/Yarn/pnpm) | ❌ | ✅ | ❌ | Static |
| Perl | ❌ | ✅ | ❌ | Static |
| PHP (Composer) | ❌ | ✅ | ❌ | Static |
| Python (Conda) | ✅ | ✅ | ❌ | Dynamic |
| Python (Pipenv) | ✅ | ✅ | ❌ | Dynamic |
| Python (Poetry) | ❌ | ✅ | ❌ | Static |
| Python (setup.py/requirements.txt) | ❌ | ✅ | ❌ | Static |
| R (renv) | ❌ | ✅ | ❌ | Static |
| Ruby (bundler) | ✅ | ✅ | ❌ | Static |
| Rust (cargo) | ✅ | ❌ | ❌ | Dynamic |
| Scala (sbt) | ✅ | ✅ | ❌ | Dynamic |