Overview

Delivers ANE-2268

The idea behind fork aliasing is that you may be using a fork of a project, but you want FOSSA to treat it as the root project it is forked from. This will allow FOSSA to get proper vulnerability reports on the project.

To do this, you define "fork aliases" in fossa-deps.yml. They look like this:

  - fork:
      type: npm
      name: my-lodash
    base:
      type: npm
      name: lodash

In this case, the user has created a fork of lodash called "my-lodash". When this project is analyzed, the CLI will find an NPM project called "my-lodash", but because of the fork alias it will translate that into "npm+lodash" before sending it to FOSSA's servers, and FOSSA will treat it as if the dependency was always "npm+lodash".

The type and name fields must be specified. You may also specify a version.

If the version is specified for the fork, then only that version will be treated as a fork and translated to the base project.

If the version is specified for the base, then the translated dependency will always have the version specified in the base. If the version is not specified for the base, then the translated dependency will have the version of the fork.

You can also add labels to fork-aliases. These work exactly like labels for the other dependency types in fossa-deps.yml.

Acceptance criteria

• You can specify fork aliases in fossa-deps.yml, and they act as specified above
• You can add labels to fork aliased projects
• The feature is well documented

Testing plan

Start with a project with some dependencies. Add some fork aliases and test that they work.

I used these manifest files for testing. First is a go.mod file which uses a fork of github.com/anknown/ahocorasick:

module github.com/fossas/themis

go 1.24.0

require (
        github.com/anknown/ahocorasick v0.0.0-20190904063843-d75dbd5169c0
)

replace github.com/anknown/ahocorasick => github.com/fossas/ahocorasick v0.0.0-20190904063843-d75dbd5169c0

Without fork aliases, this will report a dependency of go+github.com/fossas/ahocorasick`.

Second, a package.json that has a dependency called my-lodash:

{
  "name": "fork-alias-test",
  "version": "1.0.0",
  "description": "Testing package that has a fork alias",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "my-lodash": "spatten/lodash#4.17.21"
  }
}

and the following yarn.lock file that shows a dependency of my-lodash:

# This file is generated by running "yarn install" inside your project.
# Manual changes might be lost - proceed with caution!

__metadata:
  version: 8
  cacheKey: 10c0

"fork-alias-test@workspace:.":
  version: 0.0.0-use.local
  resolution: "fork-alias-test@workspace:."
  dependencies:
    my-lodash: "npm:4.17.21"
  languageName: unknown
  linkType: soft

"my-lodash@npm:4.17.21":
  version: 4.17.21
  resolution: "my-lodash@npm:4.17.21"
  checksum: 10c0/d8cbea072bb08655bb4c989da418994b073a608dffa608b09ac04b43a791b12aeae7cd7ad919aa4c925f33b48490b5cfe6c1f71d827956071dae2e7bb3a6b74c
  languageName: node
  linkType: hard

Without any fork aliases, you will see dependencies of go+github.com/fossas/ahocorasick$d75dbd5169c0 and npm+my-lodash$4.17.21

fossa analyze --output | jq

Now add a fosas-deps.yml with some fork aliases:

fork-aliases:
  - fork:
      type: npm
      name: my-lodash
    base:
      type: npm
      name: lodash
  - fork:
      type: go
      name: github.com/fossas/ahocorasick
    base:
      type: go
      name: github.com/anknown/ahocorasick

Compile fossa-dev on this branch:

make install-dev

Run fossa-dev analyze --output. Note that the locators have been translated from npm+my-lodash to npm+lodash and go+github.com/fossas/ahocorasick to go+github.com/anknown/ahocorasick.

Do it again without the --output flag and check that the data posted to Core is correct too. I did this using echotraffic.

go run ./main.go

fossa-dev analyze -e http://localhost:3000

and checking the body POSTed to /api/builds/custom. I also looked at the dependencies found on production:

Play around with the versions. Check that if you set a version in the fork, it only translates that version. Check that if you set a version in the base, it always translates to that version.

Also, add some labels, like this:

fork-aliases:
  - fork:
      type: npm
      name: my-lodash
    base:
      type: npm
      name: lodash
    labels:
    - label: fork-alias-testing
      scope: org
  - fork:
      type: go
      name: github.com/fossas/ahocorasick
    base:
      type: git
      name: github.com/anknown/ahocorasick
      version: 1.0.0
    labels:
    - label: fork-alias-testing-2
      scope: org

Note that to get the label to show up properly on the ahocorasick dependency, I had to make it translate to a git dependency and not a go dependnecy. This is how labels work, and nothing to do with this PR. The go dependency will get resolved to a git locator, and the label will only be shown for the resolved locator.

Risks

Highlight any areas that you're unsure of, want feedback on, or want reviewers to pay particular attention to.

Example: I'm not sure I did X correctly, can reviewers please double-check that for me?

Metrics

Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it

References

Add links to any referenced GitHub issues, Zendesk tickets, Jira tickets, Slack threads, etc.

Example:

• ANE-123: Implement X.

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.