FOSSA Overview

FOSSA is the #6 ranked solution of our top Software Composition Analysis (SCA) tools. It is rated 4.3 out of 5 stars, and is most often compared to Black Duck: FOSSA vs Black Duck

What is FOSSA?
Up to 90% of any piece of software is from open source, creating countless dependencies and areas of risk to manage. FOSSA is the most reliable automated policy engine for legal teams to maintain license compliance, security to fix vulnerabilities, and engineering to improve code quality across the entire software supply chain. As the only developer-native open source management platform, FOSSA fully integrates with your existing CI/CD pipeline to provide complete visibility and context earlier in the software development lifecycle. For the first time, teams can collaboratively shift left and audit, analyze, control, and remediate license issues and vulnerabilities right in their existing workflows.
FOSSA Buyer's Guide

Download the FOSSA Buyer's Guide including reviews and more. Updated: August 2020

FOSSA Customers

AppDyanmic, Uber, Twitter, Zendesk, Confluent

Pricing Advice

What users are saying about FOSSA pricing:
  • "FOSSA is not cheap."

FOSSA Reviews

Filter by:
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Brett Fattori
Manager of Open Source Program Office at a financial services firm with 5,001-10,000 employees
Real User
Top 20
Oct 5, 2020
Compatibility with a wide range of dev tools, web and "C-type", enables us to scan across our ecosystem, including legacy software

What is our primary use case?

We use it to scan for all licenses, to identify the open source licenses that are found, to identify licenses that are unknown or unrecognized so that we can deal with those, and we use it to make sure that our client-facing apps are compliant with open source licensing requirements.

Pros and Cons

  • "The most valuable feature is its ability to identify all of the components in a build, and then surface the licenses that are associated with it, allowing us to make a decision as to whether or not we allow a team to use the components. That eliminates the risk that comes with running consumer software that contains open source components."
  • "The solution provides contextualized, actionable, intelligence that alerts us to compliance issues, but there is still a little bit of work to be done on it. One of the issues that I have raised with FOSSA is that when it identifies an issue that is an error, why is it in error? What detail can they give to me? They've improved, but that still needs some work. They could provide more information that helps me to identify the dependencies and then figure out where they originated from."

What other advice do I have?

My advice would be to understand your software development environments before you try implementing FOSSA. How does the software move through your system? How does it go from being source code to production software? Through that, you can identify the point where you want to place FOSSA. We did an evaluation and used our software delivery pipeline to identify what should be scanned, and that helped to increase acceptance. Others will understand better, once they know their software ecosystem's final, production quality software that consumers are going to use or ingest, that that is what FOSSA…
Patrick Lonergan
Associate General Counsel at Circleci
Real User
Jul 26, 2020
Provides contextualized, easily actionable intelligence that alerts us to compliance issues

What is our primary use case?

Our primary use case was for the license compliance. We were doing all the open-source scanning in our CI build using FOSSA. So we would use it, have a step where FOSSA would be installed, and it would scan all the open-source libraries that were being used and then report back on what those licenses were. Then that would match up with policies that we had preset in the FOSSA UI and let us know if there are any license violations with our use of open-source.

Pros and Cons

  • "FOSSA provided us with contextualized, easily actionable intelligence that alerted us to compliance issues. I could tell FOSSA exactly what I cared about and they would tell me when something was out of policy. I don't want to hear from the compliance tool unless I have an issue that I need to deal with. That was what was great about FOSSA is that it was basically "Here's my policy and only send me an alert if there's something without a policy." I thought that it was really good at doing that."
  • "I wish there was a way that you could have a more global rollout of it, instead of having to do it in each repository individually. It's possible, that's something that is offered now, or maybe if you were using the CI Jenkins, you'd be able to do that. But with Travis, there wasn't an easy way to do that. At least not that I could find. That was probably the biggest issue."

What other advice do I have?

It's easy to use, it's easy to maintain, and it saves you time on your open-source license compliance work. I felt like the solution was very tailored for open-source license compliance with their license. I would rate FOSSA a nine out of ten. There were a few little things that could be improved, but overall for my use case, it was great.
Learn what your peers think about FOSSA. Get advice and tips from experienced pros sharing their opinions. Updated: August 2020.
448,896 professionals have used our research since 2012.
Justin Giannone
Sr. Security Architect at a computer software company with 1,001-5,000 employees
Real User
Top 20
Oct 12, 2020
Embedded within the software development lifecycle as close to the introduction of dependencies as possible

What is our primary use case?

FOSSA provides a command line interface tool, and we always use the latest version of that. It gets pulled down automatically by some scripts that I've written, so we will always pull down its latest version. We're using it primarily for the free, open source license compliance portion of it. Those scripts that I've built have the ability to be able to fail builds on pull request checks, though we haven't started enforcing that yet. Therefore, we're really primarily using FOSSA as a dependency inventory tool, then our legal team can also review and give feedback to the teams about the licenses… more »

Pros and Cons

  • "Their CLI tool is very efficient. It does not send your source code over to their servers. It just does fingerprinting. It is also very easy to integrate into software development practices."
  • "On the legal and policy sides, there is some room for improvement. I know that our legal team has raised complaints about having to approve the same dependency multiple times, as opposed to having them it across the entire organization."

What other advice do I have?

With my engineering background, I was supporting legal from the technical side of things in order to get the processes and checks embedded into the development process. The accuracy of the policies and checks was handled by the legal team. I recommend taking a look at, or at least considering, the approach that I took, where I wrote some scripts to automate the steps within a continuous integration pipeline. We've actually open sourced the scripts that we used. They're on GitHub. While the FOSSA CLI tool is fantastic, there tends to be a bit more functionality that you need to build around it…
reviewer1361748
Sr. Director of Open Source at a comms service provider with 10,001+ employees
Real User
Jun 14, 2020
Integrated into our build pipeline and automatically scans for compliance, giving us confidence problems will be caught

What is our primary use case?

The primary use case for FOSSA is that when we build mobile applications — we have a few dozen mobile applications that we build — the build script calls FOSSA automatically and determines through the FOSSA scan what licenses are being used in the dependencies, and it determines if they comply with our policies. If they don't, it notifies that there's a problem. If they do, it generates information that we turn into a report that we then use to disclose what licenses we're using in our product. There's a secondary use case, which isn't about mobile apps but about looking at code in general and… more »

Pros and Cons

  • "I found FOSSA's out-of-the-box policy engine to be accurate and that it was tuned appropriately to the settings that we were looking for. The policy engine is pretty straightforward... I find it to be very straightforward to make small modifications to, but it's very rare that we have to make modifications to it. It's easy to use. It's a four-category system that handles most cases pretty well."
  • "Security scanning is an area for improvement. At this point, our experience is that we're only scanning for license information in components, and we're not scanning for security vulnerability information. We don't have access to that data. We use other tools for that. It would be an improvement for us to use one tool instead of two, so that we just have to go through one process instead of two."

What other advice do I have?

Focus on those applications that pose licensing risks. I don't believe that one needs to use FOSSA to scan everything. You need to use FOSSA to scan products that you distribute to third-parties. The biggest lesson I have learned using the solution is that command-line integration is the most important part of a scan tool. We don't really have "users" using it. There's really only one person who does most of the work around FOSSA and everything is automated. Very rarely does somebody go into the tool and do anything, but we have many apps that are scanned with FOSSA. The one person who goes…
reviewer1357983
Attorney at a legal firm with 11-50 employees
Real User
Jun 30, 2020
The data provided makes it really easy and effective to determine the source of the license or security concern

What is our primary use case?

Our use cases are for handling incoming open-source software for high speed or agile development that our teams are doing. We also use it for looking at security vulnerabilities in real-time as they're doing their daily builds. It helps to compile distribution acknowledgments or the open-source acknowledgments that need to go out with any distributions.

Pros and Cons

  • "The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues."
  • "We have seen some inaccuracies or incompleteness with the distribution acknowledgments for an application, so there's certainly some room for improvement there. Another big feature that's missing that should be introduced is snippet matching, meaning, not just matching an entire component, but matching a snippet of code that had been for another project and put in different files that one of our developers may have created."

What other advice do I have?

With the rapid growth of the consumption of open-source in development, it was no longer feasible for attorneys to manually review every incoming component on an individual case by case basis. Having a tool to automate the review, both from a legal, but also a security perspective, and provide near-immediate feedback to the developer was critical to have. My advice would be that if you have a very large volume of open-source that you can apply clear and consistent policies to or you currently do that in a manual process, that something like this is absolutely worth every dollar to be able to…
Eric Griswold
Principal Release Engineer at Puppet
Real User
Oct 12, 2020
Does a good job showing us if we're using open source licenses that conflict with our closed source components

What is our primary use case?

Our major use case is to do open source license compliance. Puppet Enterprise consists of about 90 open source packages under constant development. And it also has some components which are not open source. When we release Puppet Enterprise, we have to make sure that anything that we're relying on is something that we are allowed to use, in an open source sense. It does do security scanning, which is something that we're interested in and want to do, but we've only been using FOSSA casually for that. I am the only person really running the FOSSA jobs. I have a FOSSA job that runs daily, that… more »

Pros and Cons

  • "What I really need from FOSSA, and it does a really good job of this, is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me."
  • "I would like the FOSSA API to be broader. I would like not to have to interact with the GUI at all, to do the work that I want to do. I would like them to do API-first development, rather than a focus on the GUI."

What other advice do I have?

There is a temptation to try to insert FOSSA into continuous integration. That was certainly my temptation. To me, that is more work than it ought to be. Sequestering FOSSA into its own job worked out better than trying to insert it into continuous integration. It does not need to be run into a continuous integration. It's not something you need on every commit. That would be an overuse of the tool. Being able to do it as a side project keeps unnecessary failures from happening and it keeps a lot of other things, like unnecessary noise, from happening. However, that's my use case for my…
Christina Luu
Program Manager at a consumer goods company with 10,001+ employees
Real User
Oct 4, 2020
Improves productivity by saving a lot of time for our software developers

What is our primary use case?

We use it to scan all of our open source projects, including all of our internal projects that people use. We are about to roll it out to the whole company. Currently, we're only using it for open source projects, making sure people are scanning before they get the project approved.

Pros and Cons

  • "The support team has just been amazing, and it helps us to have a great support team from FOSSA. They are there to triage and answer all our questions which come up by using their product."
  • "I would like more customized categories because our company is so big. This is doable for them. They are still in the stages of trying to figure this out since we are one of their biggest companies that they support."

What other advice do I have?

If this is the type of product that you're looking for, they are one of the best products that you can use. The support team has just been amazing, and it helps us to have a great support team from FOSSA. They are there to triage and answer all our questions which come up by using their product. I am not a daily user. I do more of the program management side of setting it up for everyone. I don't actually use it on a day-to-day type of basis. I would rate the solution a 10 out of 10.
Buyer's Guide
Download our free FOSSA Report and get advice and tips from experienced pros sharing their opinions.