What is our primary use case?
Our primary use case was for the license compliance. We were doing all the open-source scanning in our CI build using FOSSA. So we would use it, have a step where FOSSA would be installed, and it would scan all the open-source libraries that were being used and then report back on what those licenses were. Then that would match up with policies that we had preset in the FOSSA UI and let us know if there are any license violations with our use of open-source.
How has it helped my organization?
Prior to FOSSA, we were really struggling to get priority using FOSSA to get open-source set up on a repository. We were actually using Flexera before we came to process and we would run a scan on one of our repos and get around 10,000 results and I'm one person and this is a tiny fraction of my job. I didn't know how I was ever going to get through all those results and once I saw what FOSSA could do, we were up and running on a lot more repos much more quickly with FOSSA. It wasn't giving us tons of false positives, FOSSA was just giving us what we cared about. We had presets and it was matching against policies. That was a big thing.
FOSSA provides functionality that allowed you to do public reports as the dependencies you use. So if you were doing attribution for a mobile app, for example, you could iframe FOSSA's report of all the dependencies and use that as the attribution that they require for a mobile app or other distributed software. That was really nice. That was a functionality that put them ahead at the time. Prior to using FOSSA, we would run these scans and we had figured out the tendencies and then I had the engineers implement it in the mobile app with all the lists of all the attributions we needed. If something changed, I would have to have the engineers redo it, whereas with FOSSA, since those reports were constantly being generated every time CI build was run, then that list was always up to date. I didn't have to worry about the engineers updating it or keeping it current if something changed. That was a really nice functionality I liked.
FOSSA provided us with contextualized, easily actionable intelligence that alerted us to compliance issues. I could tell FOSSA exactly what I cared about and they would tell me when something was out of policy. I don't want to hear from the compliance tool unless I have an issue that I need to deal with. That was what was great about FOSSA. It was basically "Here's my policy and only send me an alert if there's something without a policy." I thought that it was really good at doing that.
As soon as I got an alert from FOSSA, I could reach out to the engineers who were working or owned that repo and say FOSSA's telling me that we're using this dependency that's out of our policy or if they can't find a license for the dependency or whatever it was, and it would tell me exactly what the issue was. There's no license on this dependency and then I could just tell them exactly what the issue was. They could look into it and say, "Oh, actually there is a license. For some reason FOSSA wasn't picking it up." Or, maybe the projects dual licensed and FOSSA thought it was GTL, but it's actually GPL and it would be a fee.
I felt that FOSSA told me exactly when there was an issue, what the issue was and then I could work with the engineers to easily figure out if there truly was an issue that needed remediation, or if it was some sort of course in-process tool. The other thing that was helpful is that a lot of times people will come and say "Send me a list. What are all the dependencies that we use on this project?" I could easily generate those reports in FOSSA. I could go in and see where all the dependencies are and if it was a transitive or direct dependency. That's all really nicely done in FOSSA's UI. For open-source license compliance, FOSSA had the nicest UI of any of the products that I looked at. We tried a few. For me on the legal team, that was really what I cared about.
I would describe FOSSA as being holistic in that it helps us work with both legal teams and DevOps. Our engineers found it easy enough to use. I think a lot of engineers are willing to follow a policy but they're not really interested in being in charge of managing it. They like the fact that they could easily get in the tool and see if there was an issue and that they didn't have to do a lot of tinkering with it to keep it running. That was probably their favorite part about it was that it was easy enough for them to use and help me out, but didn't require a lot of work on their part.
It enabled us to deploy software at scale. It's a huge company. We could keep doing what we were doing and feel that we were in compliance with all of our open-source obligations.
FOSSA also decreased the time our staff spent on troubleshooting. It helped us save time with staying on top of open-source license compliance. Once it was set up, it kind of ran itself. It only reached out to me with an issue when it thought there was one.
I would say it probably saved me on average five or six hours a week. It's allowed me to only spend a few hours a week doing things related to open source license compliance, which I thought was great.
What is most valuable?
The box policy was great. It was very closely aligned. We had multiple policies depending on which code base we were scanning so we had some code that was software as a service and we had some code that was distributed. We had different policies for that. The policy-setting at FOSSA is the number one reason I picked it because the policy set up and having the different policies was so easy and so intuitive. It was really exactly what I needed for what we cared about at my company, what we were looking for, and the checking again as the policy and licensing really meshed well with the way FOSSA did it.
I like that their result set with very tailored. Some other open-source license management things, like Flexera, for example, would do a really in-depth, crazy scan where it gives you 10,000 results and then you have to go through and check which result sets you actually care about and clear the stuff that you're not concerned about it, which was too time-consuming. FOSSA is very tailored. It gives us the dependencies that we know we use.
FOSSA's result set was very tailored to what I cared about. I didn't have to send a whole bunch of time clearing a whole bunch of false positives. I was really the only person on the legal team doing open-source compliance. I didn't have a whole team of compliance people to go through and look at a million potentially false positives. I needed something that would just give me the information I cared about and then tell me if there was a change once I had approved the ongoing list.
In terms of its compatibility with the wide range of developer ecosystem tools, when I was at my previous company, we'd use it with three different CI tools. We used it with CircleCI, Travis, and with Jenkins. It was set up to work the best with CircleCI. I thought it was pretty easy to set up with all three. I think it depended on the complexity of your CI setup. Like Jenkins, for example, which is notoriously difficult to set up, the setup there was also pretty complex.
Overall, I thought it was pretty easy to set up. I did most of the coding myself and I'm not a software engineer anymore but I was still able to figure it out. It was pretty easy, pretty compatible, pretty user-friendly and certainly, for an actual true software developer, not a reformed one, it wouldn't be a problem for someone to set up and use.
It made it so that it was something that even a legal team could set up. It's a one-time setup and then you're just off and running unless you change something or add a new repository you want to do scanning on. It's great. Setting it up in the CI and having it run was one of the appeals.
What needs improvement?
I wish there was a way that you could have a more global rollout of it, instead of having to do it in each repository individually. It's possible that's something that is offered now, or maybe if you were using the CI Jenkins, you'd be able to do that. But with Travis, there wasn't an easy way to do that. At least not that I could find. That was probably the biggest issue.
Another thing that is they were super great to work with. I could contact them and the engineers were very responsive to the questions I had or if there was some issue I found they were always helpful working it out. I would say that the documentation would probably be another area that could use some work. If I was doing something that was undocumented but I might know about it because I talked to one of the engineers at FOSSA, then our engineers were always a little worried that it wasn't documented and if they should be using an undocumented feature. I felt like the documentation a lot of times trailed the product functionality a little bit. If you were trying to solve problems on your own, sometimes it wasn't the easiest.
For how long have I used the solution?
I used FOSSA for a year.
We had the integration of the field, the FOSSA CLI integration into our CI service, which we were using Travis there. We would just use each build, we would install whatever the current version of the field that client was on.
What do I think about the stability of the solution?
We only had like a few times where we ran into any sort of issue with them having downtime.
What do I think about the scalability of the solution?
The scalability was good. We had no issues with the scaling to our whole organization, aside from just the limits on my time to spend doing it.
I'm not sure how many people were actually using it, but all of the engineers had access. Then there were a few of us on the legal and security teams who all had access too.
I supported most of the engineering team because I was more technical and a more IP-focused attorney amongst other things. I had a lot of relationships with different people on our engineering team at my company. I would reach out to them directly. When we started using FOSSA we were one of the earlier customers. I got to know them, they were a couple of blocks away, and they were really accessible. I would end up reaching out to them via a Slack channel.
Which solution did I use previously and why did I switch?
We also used Flexera. I thought the setup was too complicated and the results weren't focused enough. It wasn't set up in our CI system. You'd have to manually run scans periodically instead of it being run every time that a build was run in CI. It wasn't scalable for us and it was not efficient enough for us with the team size that we had.
How was the initial setup?
The initial setup was straightforward. It depends on how many repos you have, it can be a bit time consuming, at least in the Travis world, only because you have to do it for every single project, this might just be because of how the set up is in Travis. There might be a simpler way, but we spent a decent amount of time getting it set up only because we also had around a thousand repos to set up. It wasn't so much that any individual setup was complicated. It was the number of projects that needed to be set up and that you had to do each one individually. The entire setup took a few months.
There is a simpler setup that FOSSA offers, which is like a more traditional scan where it's not set up in CI. That was set up where it scanned all of our repos. When we very first started with FOSSA, it did that in a matter of a few hours. We had results for all of our projects in a few hours. It was just the actual CI setup part that took a few months.
I had a priority list of things that I cared about. I evaluated the repos that I thought were a higher priority to know where we were. I had a list that I created and worked down from. They were either bigger, distributed projects, or for a variety of other reasons, I might've prioritized them and then just worked down through that list.
What about the implementation team?
We did not use a third-party for the implementation. Although I understand that FOSSA offers professional services to help with implementation, we decided to do it ourselves.
It was primarily me with input from engineers. I had realized that once I had a pretty good idea of how to set it up on a Go Project in the way the CI for a Go Project was set up at my previous company, then I could replicate that work. Usually, it would be me working with an engineer who was familiar with that sort of type of project. Then I would just take it from there.
We don't need too many people for maintenance. Depending on what the issue was I would reach out to whatever engineer I thought I needed depending on what the project was, who owned it, what the issue was, and things like that.
All the engineers had access if they wanted to. I don't know how many of them used it.
What was our ROI?
We did see ROI. We had results the very first day that we had set it up. My confidence in what the results were was much higher with FOSSA than it had been with Flexera. I would say that we've had a nice return on investment just from the time spent by our team reviewing the results, plus our confidence in the accuracy of those results.
What's my experience with pricing, setup cost, and licensing?
In terms of pricing, I thought FOSSA was reasonable but slightly more expensive than Flexera if I recall. You weren't having to do IT stuff yourself. I certainly think in terms of time saved, it was more than satisfactory.
Which other solutions did I evaluate?
We had also looked at Black Duck and that was pretty much it.
My recollection was that Black Duck was a lot like Flexera. It wasn't set up in CI. The results set was too big. Also, the setup was hard. We had to host Flexera. I had to have IT set up an AWS instance that I could then use for the set up of Flexera. It was a lot of work.
What other advice do I have?
It's easy to use, it's easy to maintain, and it saves you time on your open-source license compliance work. I felt like the solution was very tailored for open-source license compliance with their license.
I would rate FOSSA a nine out of ten. There were a few little things that could be improved, but overall for my use case, it was great.