DEV Community

Cover image for Using FOSSA for License Compliance
Brennan for PullRequest

Posted on • Originally published at pullrequest.com on

Using FOSSA for License Compliance

Technical leaders are often caught by surprise during diligence on a round or exit: the list of asks is long, daunting, and seemingly designed to slow down the process. There's one diligence ask that I have seen derail rounds and exits that's not nearly as hard to manage as it may seem... the developer tool FOSSA

Projects are usually littered with code from many sources. From importing via package manager to copy and pasted from Stack Overflow (a very risky practice, as establishing a chain of ownership is nearly impossible), developers add dependencies in a variety of ways.

For an acquirer or a venture capitalist, this is problematic. As an example: Facebook's original license for React included a reasonable IP assignment that could theoretically prevent a company for suing Facebook for anything related to patents (they have since re-licensed it to MIT). For a startup, this is a fair trade off: the likelihood of ever engaging with Facebook on a legal scale is low, while the velocity gained from using React is high.

Even items like packages licensed with certain GPL versions means an unacceptable risk for corporate compliance teams.

Historically, this meant all-hands going through the code base, refactoring where code authorship can't be established, or hiring an external consulting firm to do it for a substantial amount of money. Over my last exit (and our Series A financing here at PullRequest), I found a better approach with much less friction.

Step 1) Sign Up for FOSSA

GitHub, Bitbucket, and GitLab integrations are available, as well as manually uploading an archive of your project if you host your code in other places. Make sure to pick whether you're distributing code or offering a web service, as FOSSA will suggest a sane set of rules to check for within your project.

Step 1 Sign Up for FOSSA

Step 2) Run Your Code Through FOSSA

Wait for the inspectors to run; a successful run will be pinned to the branch or version of the project that you have manually uploaded.

Step 2 Run Your Code Through FOSSA

Step 3) Generate A Report

A list of compatible, non-compatible, and action items for adherence will appear. Most legal firms will want PDFs of these pages; they are helpfully print formatted and make an excellent combined file when complete.

Generate a Report

That's all there is to it. While this won't completely replace a strict monitoring of your development team for bad behaviors (for instance, copying and pasting the entirety of a Stack Overflow answer), it will save you a ton of time during diligence.

At PullRequest, we recommend making this part of your workflow. We attach the resulting badges to each of our repositories, that way we know if we've introduced something that's incompatible with our targeted policy.

Here's an example license badge for one of my open source projects (a PHP wrapper for the background search service Checkr)

FOSSA Status

This was originally posted on PullRequest's blog. Get your code reviewed by professional reviewers: Sign up today for PullRequest

Top comments (0)