Try our new research platform with insights from 80,000+ expert users
FOSSA Logo

FOSSA pros and cons

Vendor: FOSSA
4.3 out of 5
Post review

Pros & Cons summary

FOSSA integrates into build pipelines, easing onboarding for developers with its accurate and customizable policy engine. Contextual alerts are provided, enhancing decision-making on open-source components. While the tool excels in licensing investigation, it lacks snippet matching and a unified security scan. Global implementation challenges exist with certain CI tools, and improvements are needed in error information, categories, and API functionalities, as well as legal aspects regarding dependency approvals.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.
Get the report

Prominent pros & cons

PROS

FOSSA integrates easily and quickly into existing workflows, providing rapid feedback on licensing and security issues, which is highly valued by developers.
FOSSA's policy engine is accurate, requires minimal adjustments, and effectively alerts users only when there are compliance issues that need attention.
FOSSA efficiently identifies all components within a build, displaying associated licenses which aids in compliance and risk management.
Support from FOSSA is highly reliable, with a proactive team ready to assist with any queries or issues.
FOSSA's CLI tool respects privacy by only fingerprinting data locally and offers granular control over open-source licenses, helping teams make informed decisions about component usage.

CONS

FOSSA has inaccuracies with distribution acknowledgments needing improvement.
Security scanning only focuses on licenses, not vulnerabilities, requiring external tools.
Dependency approval must be repeated multiple times across the organization.
FOSSA's API requires broader development to reduce reliance on the GUI.
Technical support and understanding of advanced features can be improved.
 

FOSSA Pros review quotes

BF
Oct 5, 2020
The most valuable feature is its ability to identify all of the components in a build, and then surface the licenses that are associated with it, allowing us to make a decision as to whether or not we allow a team to use the components. That eliminates the risk that comes with running consumer software that contains open source components.
Read full review
PL
Jul 19, 2020
FOSSA provided us with contextualized, easily actionable intelligence that alerted us to compliance issues. I could tell FOSSA exactly what I cared about and they would tell me when something was out of policy. I don't want to hear from the compliance tool unless I have an issue that I need to deal with. That was what was great about FOSSA is that it was basically "Here's my policy and only send me an alert if there's something without a policy." I thought that it was really good at doing that.
Read full review
JG
Oct 12, 2020
Their CLI tool is very efficient. It does not send your source code over to their servers. It just does fingerprinting. It is also very easy to integrate into software development practices.
Read full review
Buyer's Guide
FOSSA
November 2024
Free Report: FOSSA Reviews and More
Learn what your peers think about FOSSA. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
DOWNLOAD NOW
814,649 professionals have used our research since 2012.
GY
Jun 2, 2020
I found FOSSA's out-of-the-box policy engine to be accurate and that it was tuned appropriately to the settings that we were looking for. The policy engine is pretty straightforward... I find it to be very straightforward to make small modifications to, but it's very rare that we have to make modifications to it. It's easy to use. It's a four-category system that handles most cases pretty well.
Read full review
CL
May 16, 2021
One of the things that I really like about FOSSA is that it allows you to go very granular. For example, if there's a package that's been flagged because it's subject to a license that may be conflicts with or raises a concern with one of the policies that I've set, then FOSSA enables you to go really granular into that package to see which aspects of the package are subject to which licenses. We can ultimately determine with our engineering teams if we really need this part of the package or not. If it's raising this flag, we can make really actionable decisions at a very micro level to enable the build to keep pushing forward.
Read full review
BG
May 27, 2020
The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues.
Read full review
EG
Sep 27, 2020
What I really need from FOSSA, and it does a really good job of this, is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me.
Read full review
CL
Sep 23, 2020
The support team has just been amazing, and it helps us to have a great support team from FOSSA. They are there to triage and answer all our questions which come up by using their product.
Read full review
MW
May 20, 2021
Being able to know the licenses of the libraries is most valuable because we sell products, and we need to provide to the customers the licenses that we are using.
Read full review
SS
Oct 24, 2024
FOSSA suggests solutions for dependency mismatches.
Read full review
Show 5 more reviews (out of 15)
 

FOSSA Cons review quotes

BF
Oct 5, 2020
The solution provides contextualized, actionable, intelligence that alerts us to compliance issues, but there is still a little bit of work to be done on it. One of the issues that I have raised with FOSSA is that when it identifies an issue that is an error, why is it in error? What detail can they give to me? They've improved, but that still needs some work. They could provide more information that helps me to identify the dependencies and then figure out where they originated from.
Read full review
PL
Jul 19, 2020
I wish there was a way that you could have a more global rollout of it, instead of having to do it in each repository individually. It's possible, that's something that is offered now, or maybe if you were using the CI Jenkins, you'd be able to do that. But with Travis, there wasn't an easy way to do that. At least not that I could find. That was probably the biggest issue.
Read full review
JG
Oct 12, 2020
On the legal and policy sides, there is some room for improvement. I know that our legal team has raised complaints about having to approve the same dependency multiple times, as opposed to having them it across the entire organization.
Read full review
Buyer's Guide
FOSSA
November 2024
Free Report: FOSSA Reviews and More
Learn what your peers think about FOSSA. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
DOWNLOAD NOW
814,649 professionals have used our research since 2012.
GY
Jun 2, 2020
Security scanning is an area for improvement. At this point, our experience is that we're only scanning for license information in components, and we're not scanning for security vulnerability information. We don't have access to that data. We use other tools for that. It would be an improvement for us to use one tool instead of two, so that we just have to go through one process instead of two.
Read full review
CL
May 16, 2021
One thing that can sometimes be difficult with FOSSA is understanding all that it can do. One of the ways that I've been able to unlock some of those more advanced features is through conversations with the absolutely awesome customer success team at FOSSA, but it has been a little bit difficult to find some of that information separately on my own through FAQs and other information channels that FOSSA has. The improvement is less about the product itself and more about empowering FOSSA customers to know and understand how to unlock its full potential.
Read full review
BG
May 27, 2020
We have seen some inaccuracies or incompleteness with the distribution acknowledgments for an application, so there's certainly some room for improvement there. Another big feature that's missing that should be introduced is snippet matching, meaning, not just matching an entire component, but matching a snippet of code that had been for another project and put in different files that one of our developers may have created.
Read full review
EG
Sep 27, 2020
I would like the FOSSA API to be broader. I would like not to have to interact with the GUI at all, to do the work that I want to do. I would like them to do API-first development, rather than a focus on the GUI.
Read full review
CL
Sep 23, 2020
I would like more customized categories because our company is so big. This is doable for them. They are still in the stages of trying to figure this out since we are one of their biggest companies that they support.
Read full review
MW
May 20, 2021
On the dashboard, there should be an option to increase the column width so that we can see the complete name of the GitHub repository. Currently, on the dashboard, we see the list of projects, but to see the complete name, you have to hover your mouse over an item, which is annoying.
Read full review
SS
Oct 24, 2024
FOSSA does not show the exact line of code with vulnerabilities, which adds time to the process as we have to locate these manually.
Read full review
Show 5 more reviews (out of 15)

Product Categories

Product Categories
Software Composition Analysis (SCA)

Popular Comparisons

Popular Comparisons
Veracode vs FOSSA Logo
Veracode vs FOSSA
GitLab vs FOSSA Logo
GitLab vs FOSSA
Snyk vs FOSSA Logo
Snyk vs FOSSA
Black Duck vs FOSSA Logo
Black Duck vs FOSSA
Mend.io vs FOSSA Logo
Mend.io vs FOSSA
Sonatype Lifecycle vs FOSSA Logo
Sonatype Lifecycle vs FOSSA
Fortify Static Code Analyzer vs FOSSA Logo
Fortify Static Code Analyzer vs FOSSA
JFrog Xray vs FOSSA Logo
JFrog Xray vs FOSSA
Checkmarx Software Composition Analysis vs FOSSA Logo
Checkmarx Software Composition Analysis vs FOSSA
FlexNet Code Insight vs FOSSA Logo
FlexNet Code Insight vs FOSSA
See all alternatives

Product Categories

Product Categories
Software Composition Analysis (SCA)

Popular Comparisons

Popular Comparisons
Veracode vs FOSSA Logo
Veracode vs FOSSA
GitLab vs FOSSA Logo
GitLab vs FOSSA
Snyk vs FOSSA Logo
Snyk vs FOSSA
Black Duck vs FOSSA Logo
Black Duck vs FOSSA
Mend.io vs FOSSA Logo
Mend.io vs FOSSA
Sonatype Lifecycle vs FOSSA Logo
Sonatype Lifecycle vs FOSSA
Fortify Static Code Analyzer vs FOSSA Logo
Fortify Static Code Analyzer vs FOSSA
JFrog Xray vs FOSSA Logo
JFrog Xray vs FOSSA
Checkmarx Software Composition Analysis vs FOSSA Logo
Checkmarx Software Composition Analysis vs FOSSA
FlexNet Code Insight vs FOSSA Logo
FlexNet Code Insight vs FOSSA
See all alternatives
Related questions
  • 195
What tools do you rely on for building a DevSecOps pipeline?
  • 113
What alternatives are there for Fortify WebInspect and Fortify SCA?
  • 77
What is the best way to track open-source license compatibility?
  • 14
Why is Software Composition Analysis (SCA) important for companies?
  • 210
Differences between Black Duck & Veracode
  • 32
What SCA solution do you recommend?
  • 9
Is there an SCA solution that finds and fixes vulnerabilities?
  • 16
Can I get SCA in my IDE?
  • 48
How long does SCA scanning take?
  • 0
When evaluating Software Composition Analysis, what aspect do you think is the most important to look for?