You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/references/strategies/README.md
+15-1
Original file line number
Diff line number
Diff line change
@@ -129,12 +129,26 @@ With this option enabled, strategies that don't offer a way to analyze staticall
129
129
130
130
It is important to note that neither type of strategy has an inherent benefit when detecting dependencies. If a supported language has only a static or only a dynamic strategy, this does not mean it is less supported than a language that has both.
131
131
132
+
## Strict Analysis
133
+
134
+
Strict analysis enforces the use of the most accurate strategy for detecting dependencies, ensuring precise and consistent results by rejecting fallback methods that may offer less reliable detection.
135
+
136
+
For example, in Maven projects, FOSSA CLI attempts analysis with the following strategy order:
137
+
138
+
1. Run the [mavenplugin](../strategies/languages/maven/mavenplugin.md) strategy, which provides the most accurate dependency information.
139
+
2. If that fails, it attempts the [treecmd](../strategies/languages/maven/treecmd.md) strategy, which parses the output of the `mvn dependency:tree` command.
140
+
3. Finally, it falls back to the [pomxml](../strategies/languages/maven/pomxml.md) strategy, scanning pom.xml files for dependencies.
141
+
142
+
However, with the `--strict` flag, only the `mavenplugin` strategy will be used. If the `mavenplugin` command fails, FOSSA will not attempt the `treecmd` or `pomxml` methods. This ensures that your Maven analysis relies solely on the most precise and validated strategy.
143
+
144
+
Invoke strict analysis with the `--strict` flag when running `fossa analyze`.
145
+
132
146
### Strategies by type
133
147
134
148
> If the FOSSA CLI is forced to utilize a fallback strategy, meaning it did not detect ideal results, a warning is emitted in the scan summary after running `fossa analyze`.
Copy file name to clipboardExpand all lines: docs/references/subcommands/analyze.md
+23-22
Original file line number
Diff line number
Diff line change
@@ -13,26 +13,26 @@ For supported command-line flags, use `fossa analyze --help`
13
13
14
14
In addition to the [usual FOSSA project flags](#common-fossa-project-flags) supported by all commands, the analyze command supports the following FOSSA-project-related flags:
The Vendored Dependencies feature allows you to scan for licenses directly in your code. For more information, please see the [Vendored Dependencies documentation](../../features/vendored-dependencies.md).
|`--force-vendored-dependency-scan-method`| Force the vendored dependency scan method. The options are 'CLILicenseScan' or 'ArchiveUpload'. 'CLILicenseScan' is usually the default unless your organization has overridden this. |
82
82
|`--force-vendored-dependency-rescans`| Force vendored dependencies to be rescanned even if the revision has been previously analyzed by FOSSA. This currently only works for CLI-side license scans. |
83
83
@@ -128,11 +128,12 @@ We support the following archive formats:
128
128
129
129
In addition to the [standard flags](#specifying-fossa-project-details), the analyze command supports the following additional strategy flags:
|[`--detect-vendored`](./analyze/detect-vendored.md)| Enable the vendored source identification engine. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
134
-
|[`--detect-dynamic './some-binary`](./analyze/detect-dynamic.md)| Analyze the binary at the provided path for dynamically linked dependencies. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
135
-
|[`--static-only-analysis`](../strategies/README.md#static-and-dynamic-strategies)| Do not use third-party tools when analyzing projects. |
|[`--detect-vendored`](./analyze/detect-vendored.md)| Enable the vendored source identification engine. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
134
+
|[`--detect-dynamic './some-binary`](./analyze/detect-dynamic.md)| Analyze the binary at the provided path for dynamically linked dependencies. For more information, see the [C and C++ overview](../strategies/languages/c-cpp/c-cpp.md). |
135
+
|[`--static-only-analysis`](../strategies/README.md#static-and-dynamic-strategies)| Do not use third-party tools when analyzing projects. |
136
+
|`--strict`| Enforces strict analysis to ensure the most accurate results by rejecting fallbacks. When run with `--static-only-analysis`, the most optimal static strategy will be applied without fallbacks. |
136
137
137
138
138
139
### Experimental Options
@@ -142,7 +143,7 @@ _Important: For support and other general information, refer to the [experimenta
142
143
In addition to the [standard flags](#specifying-fossa-project-details), the analyze command supports the following experimental flags:
|[`--experimental-enable-binary-discovery`](../experimental/binary-discovery/README.md)| Enable reporting binary files as unlicensed dependencies. For more information, see the [binary discovery overview](../experimental/binary-discovery/README.md). |
147
148
|[`--experimental-link-project-binary './some-dir'`](../experimental/msb/README.md)| Link the provided binary files to the project being analyzed. For more information, see the [multi stage builds overview](../experimental/msb/README.md). |
148
149
|[`--experimental-skip-vsi-graph 'custom+1/some$locator'`](../experimental/msb/README.md)| Skip resolving the dependencies of the given project that was previously linked via `--experimental-link-project-binary`. |
0 commit comments