Enterprises and ISVs are increasingly using open-source code in their projects and products, and in many cases there's simply not enough attention paid to license compliance. That's the contention of startup FOSSA, who has launced a public beta of its platform for open source license management. Here are the key details from a blog post by founder and CEO Kevin Wang:
It’s mind-boggling that in 2017, software companies don’t really know what’s in their code. 90% of it now comes from third parties like open source (OSS) codebases. Although it sounds trivial, it’s actually really difficult to keep track of what your developers use. Most of this code isn’t explicitly included — instead it’s brought in automatically by complex tool behavior or one of the million ways developers casually share code.
That’s why even small software teams end up unknowingly using code with webs of license obligations towards thousands of developers—and violating them is costly.
However, today’s answer to license compliance is incompatible with how we want to write software. Companies have to rely on experts, lawyers and developers to manually audit their codebases and painstakingly manage large spreadsheets of data per-release. Because of this, at some companies developers must wait for months of legal review every time they wanted to use an open source library or ship some code.
A lot of it falls back to this issue: developers don’t speak copyright law, or rather, copyright law doesn’t speak developer.
FOSSA integrates with your code and workflow tools to continuously audit your open source dependencies. We scan for licenses, compliance issues and analyze your code, using all the data we gather to keep your code compliant in realtime.
In addition, FOSSA integrates with issue tracking tools like JIRA and communication platforms such as Slack to push notifications and recommended fixes to development teams. To that end, FOSSA doesn't completely automate license compliance, but takes much of the manual housekeeping—that let's face it, might not be on the top of a developer's priority list—off the table.
The public beta comes after companies ranging from startups to the Fortune 50 tested and used FOSSA for their code releases over the past year. While the beta version is available at no charge, FOSSA is also offering a commercial edition and an on-premise deployment option.
While FOSSA's idea is far from new—companies such as Black Duck Software have offered OSS code scanning and compliance tools for many years—the startup contends its differentiation lies partly in deeper and more natural integration with development workflows. (Prospective customers can also expect FOSSA to be competitive on pricing.)
FOSSA is aiming at a big problem in software development, says Constellation Research VP and principal analyst Holger Mueller. In many companies, there are simply few artifacts of which open source code bases and versions are being used and where, he says: "Once it works, it works, and traditionally you don't look back."
Moreover, the problem comes down to institutional knowledge, he adds. "That leaves when people and responsibilities change," Mueller says. "It's good to see someone tackling the problem."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.