When developing C and C++ projects, no standard package manager is used. Consequently, we use statistical analysis of the project to determine likely vendored dependencies, and support inspecting output binaries for dynamically linked dependencies on some platforms.
| Strategy | Direct Deps | Transitive Deps | Edges | Container Scanning |
|---|---|---|---|---|
detect-vendored |
✅ | ❌ | ❌ | ❌ |
detect-dynamic |
✅ | ✅ | ❌ | ❌ |
detect-vendored: The root of the scan directory is assumed to be the only "project".detect-dynamic: The binary indicated by the argument is assumed to be the only "project".
detect-vendored: Runfossa analyze --detect-vendored.- To only detect vendored dependencies, run
fossa analyze --detect-vendored --only-target vsi.
- To only detect vendored dependencies, run
detect-dynamic: Runfossa analyze --detect-dynamic <BINARY_PATH>.- This inspects the binary at
BINARY_PATHfor dynamically linked dependencies. - This requires specific platform support, see extended documentation under further reading.
- This inspects the binary at
Further reading: