A hands-on training environment for learning FOSSA CLI security scanning and license compliance.
This repository intentionally contains vulnerable packages for educational purposes. DO NOT use in production!
- Install and configure FOSSA CLI
- Perform security and license scans
- Integrate FOSSA into CI/CD pipelines
- Configure custom scanning rules
- Generate compliance reports
- Node.js 16+
- Git
- FOSSA account and API key
# Clone the repository
git clone <repository-url>
cd fossa-cli-training
# Install dependencies (intentionally vulnerable!)
npm install
# Install FOSSA CLI
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
# Set your API key
export FOSSA_API_KEY="your-api-key-here"# List detected targets
fossa list-targets
# Run analysis
fossa analyze
# Check for policy violations
fossa test- Complete Tutorial - Comprehensive step-by-step guide
- Application Code - Sample vulnerable Node.js application
- Pipeline Examples - CI/CD integration samples
fossa-cli-training/
├── README.md # This file
├── FOSSA_CLI_TUTORIAL.md # Complete training guide
├── package.json # Vulnerable dependencies
├── app.js # Sample application
├── .fossa.yml # FOSSA configuration
├── .github/workflows/fossa-scan.yml # GitHub Actions
├── .gitlab-ci.yml # GitLab CI/CD
└── docs/ # Additional documentation
This repository includes the following intentionally vulnerable packages:
| Package | Version | Vulnerability Type |
|---|---|---|
| express | 4.16.0 | Multiple CVEs |
| lodash | 4.17.4 | Prototype pollution |
| moment | 2.19.0 | ReDoS (Regular Expression DoS) |
| request | 2.88.0 | Deprecated, security issues |
| minimist | 0.0.8 | Prototype pollution |
| debug | 2.2.0 | ReDoS vulnerability |
| qs | 1.0.0 | Various vulnerabilities |
| tar | 2.0.0 | Arbitrary file overwrite |
# Basic analysis
fossa analyze
# Local analysis (no upload)
fossa analyze --output
# List all targets
fossa list-targets
# Generate reports
fossa report attribution
# Test against policies
fossa test
# Debug mode
fossa analyze --debug- Run
fossa list-targets - Perform
fossa analyze --output - Count the vulnerable dependencies
- Modify
.fossa.yml - Compare scan results if dependency graph changes
- Add custom project metadata to
.fossa.yml
- Set up GitHub Actions workflow
- Configure secret for API key
- Test the worflow
- Create attribution report
- Export results to different formats
No API key provided:
export FOSSA_API_KEY="your-key-here"No targets found:
Ensure you're in a directory with package.json, pom.xml, or other supported project files.
Analysis timeout:
Use .fossa.yml to exclude large directories:
paths:
exclude:
- node_modules
- distWhen you run FOSSA on this repository, you should see:
- 10+ vulnerable dependencies detected
- Multiple high-severity vulnerabilities
- License compliance issues (if policies are configured)
- Detailed dependency graph with transitive dependencies
- Check the complete tutorial
- Review troubleshooting section
- Consult FOSSA documentation
- Contact your FOSSA administrator
This training material is provided under the MIT License. See LICENSE file for details.
Remember: This is for training purposes only. Never use these vulnerable packages in production!
- Follow the Quick Start guide above
- Open the Complete Tutorial
- Begin with Exercise 1
- Learn by doing!
Happy scanning! 🔍