Profile
FOSSA is a comprehensive software supply chain management platform that automates open source license compliance, security vulnerability management, and Software Bill of Materials (SBOM) generation. The platform combines a zero-configuration dependency detection engine with sophisticated analysis capabilities across multiple programming languages and build systems. As an established solution used by organizations from small development teams to Fortune 50 enterprises, FOSSA distinguishes itself through deep integration capabilities and automated policy enforcement, enabling organizations to ship software faster while managing legal, security, and regulatory risks.
Focus
FOSSA addresses three fundamental challenges in modern software development: managing open source license compliance across large dependency trees, identifying and remediating security vulnerabilities in third-party components, and maintaining accurate software composition visibility through SBOM generation. The platform serves development teams, legal departments, and security professionals who need to maintain control over their software supply chain. Core benefits include automated dependency detection, policy enforcement, and comprehensive analysis of both source and binary components, enabling organizations to scale their compliance and security practices efficiently.
Background
Founded in 2015 by Kevin Wang, FOSSA emerged from the growing need for automated open source compliance tools in modern software development. The company has secured significant venture capital funding totaling $38.4 million from investors including Bain Capital Ventures and Costanoa Ventures. The platform maintains a hybrid distribution model with an open-source CLI tool (licensed under MPL-2.0) and a commercial SaaS platform. FOSSA's acquisition of StackShare in 2024 expanded its capabilities into broader developer tools management, demonstrating continued strategic growth.
Main features
Automated dependency analysis and license compliance
The platform employs a sophisticated dependency detection engine that automatically identifies and catalogs software components across diverse technology stacks without manual configuration. It supports over twenty programming languages and package managers, analyzing both direct and transitive dependencies through deep integration with build tools. The system performs build-time analysis for maximum accuracy, employing multiple detection strategies including binary composition analysis for compiled artifacts. License compliance features include advanced detection algorithms achieving 99.8% accuracy in identifying licenses, even with non-standard variations.
Comprehensive vulnerability management system
FOSSA provides continuous security monitoring through multiple vulnerability databases, including both public sources and proprietary intelligence. The system enriches vulnerability data with contextual information including CVSS scores and exploitation probability metrics, enabling effective prioritization. Advanced remediation guidance analyzes entire dependency trees to identify optimal upgrade paths that address multiple vulnerabilities simultaneously while minimizing breaking changes. Policy-based gates automatically prevent the introduction of components with unacceptable vulnerability profiles.
Enterprise-grade SBOM generation and management
The platform delivers complete SBOM lifecycle management supporting multiple standard formats including SPDX and CycloneDX. SBOM generation leverages comprehensive dependency detection to produce accurate software inventories including all mandatory elements plus enriched metadata. The system supports multiple granularities from individual projects to release groups, with customizable field inclusion and relationship depth. Distribution capabilities include flexible sharing options with access controls, version tracking, and support for third-party SBOM import and analysis.
