​FOSSA: Open-sourcing open-source license management

No one ever became a programmer so they could mange open-source licenses. But, that’s what many developers must do these days. Black Duck Software, the open-source software logistics and legal solutions provider, and North Bridge found in 2015 that 66 percent of companies create open-source software. That’s great, but all that code comes with a wide variety of licenses, each with its own set of requirements. What’s a developer or company to do?

There have long been corporate programs, such as those from Black Duck Software, White Source Software, and Sonatype, which provide code scanning and open-source licensing management. This isn’t a small job. According to Sonatype, the average application contains 106 open-source components.

Kevin Wang, CEO of FOSSA, has a different approach. The 22-year-old founder told me at Open Source Leadership Summit in Sonoma, CA: “Code scanning is not enough anymore. FOSSA’s approach to dependency scanning leverages both static and dynamic code analysis. Dynamic analysis allows FOSSA to get an accurate, live view of what dependencies are pulled into builds. Static analysis supplements the results with metadata on how dependencies are included to power deep intelligence features and recommendation engines. Both these approaches are used to build the most accurate, performant, and intelligent infrastructure for managing your open source.”

That’s all well and good, but by open-sourcing its dependency analysis infrastructure, the company is taking an interesting step forward. FOSSA is using open source to automatically manage open-source licensing. I like this plan.

The program supports over 15 languages and environments. These include JavaScript, Java, Ruby, Golang, and PHP. FOSSA today is a web service, written in Go, that you import from GitHub.

FOSSA works by analyzing your project for dependencies after your build system has built your project. This provides much more precise dependency information than just reading package manifest files. This is a real problem. As FOSSA points out:

  • Some build tools are non-deterministic, so two builds with the same configuration may result in different dependencies being used.
  • Many ecosystems use semantic versioning to specify dependency ranges, so running the same build at different points in time may cause different dependencies if a new version was published.
  • Some build tools will execute external commands or arbitrary code which is impossible to statically analyze.

So, instead of trying to guess at your build system’s behavior, FOSSA runs locally using your build tools to determine a list of exact dependencies used by your binary.

There’s a real need for this. Despite the commercial tools that are already available, Wang said, most people still use a spreadsheet to track licensing requirements manually.

So, why open source FOSSA’s approach? Wang explained, “At the end of the day everyone uses open source differently. Even though in many languages there’s some conventions and structure towards dependencies, you will always have plenty of edge cases due to the breadth of ways people share code. That’s why it’s critical that this is an open and collaborative project.”

FOSSA itself is licensed under the Mozilla Public License 2.0. To make money from this plan, Wang explained that while the command-line interface (CLI) version is free and open source, the web-based dashboard and support will provide the revenue needed to keep FOSSA’s doors open.

I think Wang’s on to something here. Managing open-source licenses is a necessary evil, and FOSSA addressing it head on with an open-source approach may be just what’s needed to bring it to heel.

Related Stories: