Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
Make sure you put analysis.fossa.com for the appropriate answers when you run this. Mine looked like this:
sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:analysis.fossa.com
Organizational Unit Name (eg, section) []:analysis.fossa.com
Common Name (e.g. server FQDN or YOUR name) []:analysis.fossa.com
Email Address []:scott@fossa.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now generate the crt file and copy things to the right spot:
sudo nginx -t
nginx: the configuration file /opt/homebrew/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /opt/homebrew/etc/nginx/nginx.conf test is successful
Start the nginx service. You're binding to port 80, so you have to do this as root:
sudo brew services start nginx
Now you should be able to go to http://analysis.fossa.com in your browser and see it hit Sparkle running on localhost:3000. We're using a self-signed certificate, so you'll have to click through a scary warning
Now that you're set up, let's test that things work.
This will hit Sparkle and Sparkle will proxy to Core:
make install-dev
cd ~/some/project
FOSSA_API_KEY=... fossa-dev analyze
Watch your Sparkle logs. Make sure that the CLI is hitting URLs. You should see a bunch of GET api/cli/organization, a POST to api/builds/custom and a POST to /api/cli/telemetry.
There should be no errors in the Sparkle logs.
Check that the project URL is correct and points at app.fossa.com.
Try again, but force the endpoint to Sparkle by using this flag: -e https://analysis.fossa.com
Everything should work exaclty the same, except the project URL will now point at analysis.fossa.com. Make sure that the analysis.fossa.com URL redirects to the correct spot on app.fossa.com.
Run this with a normal build, a build with vendored dependencies and a container.
Risks
This is a small change in some ways, but a big change in others.
If Sparkle is working correctly, this will be just fine.
If Sparkle is not working correctly, this will cause problems.
But the risk is not contained in this PR. This PR just exposes it.
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
References
Add links to any referenced GitHub issues, Zendesk tickets, Jira tickets, Slack threads, etc.
[ ] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
[ ] If this PR introduced a user-visible change, I added documentation into docs/.
[ ] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
[ ] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
[ ] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
[ ] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
Overview
Delivers ANE-1692
Acceptance criteria
Testing plan
Setup
To test this, we need to be able to hit Sparkle, but running at http://localhost:3000. I did this by using Nginx as a reverse proxy.
Point analysis.fossa.com to localhost in /etc/hosts
Add this to
/etc/hosts
:Create an SSL Cert
Here's how I did it.
First, generate your key. You will need the passphrase for the next few steps, so make sure you remember it:
Now generate your CSR:
Make sure you put
analysis.fossa.com
for the appropriate answers when you run this. Mine looked like this:Now generate the crt file and copy things to the right spot:
That will result in a server.crt and server.key file. Put those in /usr/local/nginx/conf
Make your OS accept the cert even though it's self-signed
On MacOS, I followed the directions here: https://tosbourn.com/getting-os-x-to-trust-self-signed-ssl-certificates/
Set up nginx to reverse-proxy analysis.fossa.com to Sparkle running locally
Put this in your nginx config (/opt/homebrew/etc/nginx/nginx.conf) inside the
http
block:Test that your config is working properly:
Start the nginx service. You're binding to port 80, so you have to do this as root:
Now you should be able to go to
http://analysis.fossa.com
in your browser and see it hit Sparkle running on localhost:3000. We're using a self-signed certificate, so you'll have to click through a scary warningNow that you're set up, let's test that things work.
This will hit Sparkle and Sparkle will proxy to Core:
Watch your Sparkle logs. Make sure that the CLI is hitting URLs. You should see a bunch of
GET api/cli/organization
, a POST toapi/builds/custom
and a POST to/api/cli/telemetry
.There should be no errors in the Sparkle logs.
Check that the project URL is correct and points at app.fossa.com.
Try again, but force the endpoint to Sparkle by using this flag:
-e https://analysis.fossa.com
Everything should work exaclty the same, except the project URL will now point at analysis.fossa.com. Make sure that the analysis.fossa.com URL redirects to the correct spot on app.fossa.com.
Run this with a normal build, a build with vendored dependencies and a container.
Risks
This is a small change in some ways, but a big change in others.
If Sparkle is working correctly, this will be just fine.
If Sparkle is not working correctly, this will cause problems.
But the risk is not contained in this PR. This PR just exposes it.
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
References
Add links to any referenced GitHub issues, Zendesk tickets, Jira tickets, Slack threads, etc.
Example:
Checklist
docs/
.docs/README.ms
and gave consideration to how discoverable or not my documentation is.Changelog.md
. If this PR did not mark a release, I added my changes into an# Unreleased
section at the top..fossa.yml
orfossa-deps.{json.yml}
, I updateddocs/references/files/*.schema.json
AND I have updated example files used byfossa init
command. You may also need to update these if you have added/removed new dependency type (e.g.pip
) or analysis target type (e.g.poetry
).docs/references/subcommands/<subcommand>.md
.