DEV Community

Cover image for SBOM with FOSSology
Paweł Piwosz
Paweł Piwosz

Posted on

SBOM with FOSSology

This episode is about FOSSology, the open source tool which is categorized as Audit, Consume and Transform tool. The project is part of Linux Foundation Project.

We will see how it works in the simplest installation, a docker container. We have multiple options, starting with installation directly on our system, use single container, or prepared docker-compose setup to add external database. As we have docker-compose ready, it is very easy to move the installation to other environments, like, for example, Kubernetes.

Let's run the container, then!

docker run -p 8081:80 fossology/fossology
Enter fullscreen mode Exit fullscreen mode

Now we can enter the website, using http://localhost:8081/repo/ url. The login is simple, user and password are fossy.

Login screen

Browse screen after login


At the beginning we will try to scan some GitHub repo. I selected one, where I expect a lot of actions done through time. Select Upload and the From Version Control System.

Upload source

With the analytics options I go crazy, I select all :)

Upload configuration

And then we need to click Upload button, which is quite hidden in bottom left side.

Please notice, the UX now is not perfect. In the first moment I didn't know if action was successful or not.

Some UX to fix

But, yes, it was :)

Let's go to Jobs and then My recent jobs. This shows the status of jobs. AS we can see on the screen below, my jobs are still running. Very clean and clear information panel!

Job statuses

We can pause or stop jobs if we want

Job statuses are updated automaticaly

Scan is in progress, but we can look on part already collected. For example, License Browser

License browser

We see here very complex report. We can get even more info, by clicking on each element.


In the Browse menu we can decide what action should be taken.

Options for project

AS we can see, FOSSology is also an "operational" tool. We can assign people to be the owners of the report, we can change status of the project.


I've created unified report, which I downloaded from Jobs section. This report is generated as MS Word file and is very detailed.


File from URL

As a next excercise, I use tfsec project downloaded directly from GitHub releases. I love tfsec as a tool, so I use this opportunity to learn more about it :) We will see how many information the tool is able to extract from executable.

This time, reports shows more data about licenses, etc. Don't get it wrong, it is not the FOSSology things, simply speaking, more work in this area is done for thsec than for TF AWS provider :)

Another report

Duration of scan

Well, it depends on the type of scan. softwareHeritage can be very long. I mean, very, very long. Generally, we have to prepare ourselves to give around 15 minutes to complete scan (except SoftwareHeritage). Of course it depends on the package type, size, etc, but it is definitely not something what can be seamlessly added to the pipelines (however, this should be obvious).


Very useful tool. Helps to analyze data from multiple sources. Only one missing point for me is to scan Docker containers.

The GUI is quite clean and useful. Everything is easy to be found, navigation is really easy. The one exception is mentioned confirmation (or failure) of adding project to the application.

FOSSology is using external services for some checks, what might be problematic in many situations.

User management is quite advanced for such tool. API is available and each user can generate the personal token to use.

I like FOSSology and I think I will remember about it when it comes to SBOMs in pipelines.

The downside of this tool might be the file size limitation. We can upload files to 700M, so majority of iso images is too big for this scanner (for example current Ubuntu iso images are way bigger).

Cover image by Suzy from Pixabay

Top comments (0)