Today, I’m pleased to announce the launch of FOSSA (v0.4.0) — our public beta release to help you track your open source libraries and comply with their licenses.
We’re also announcing a $2.2MM seed round led by Salil Deshpande at Bain Capital Ventures and participation from angels including Marc Benioff (Chairman/CEO, SalesForce), Jaan Tallin (Co-Founder, Skype), Steve Chen (CTO/Co-Founder, YouTube), Amr Awadallah (CTO/Co-Founder, Cloudera) and Justin Mateen (CMO/Co-Founder, Tinder).
Current FOSSA on-prem customers will receive this version with release notes in the upcoming weeks.
Taking back control of your code
As software developers, we’re entering a world where we no longer write nor own the majority of the code that we ship in our products. Instead, the average modern app relies on code shared by thousands of third-party developers.
When I want a new feature, I can run a single command to bring in massive amounts of code to implement it. However, I never really know what I’m getting — What’s in this code? Who owns it? What are the terms of use? Can I trust it?
It’s mind-boggling that in 2017, software companies don’t really know what’s in their code. 90% of it now comes from third parties like open source (OSS) codebases. Although it sounds trivial, it’s actually really difficult to keep track of what your developers use. Most of this code isn’t explicitly included — instead it’s brought in automatically by complex tool behavior or one of the million ways developers casually share code.
That’s why even small software teams end up unknowingly using code with webs of license obligations towards thousands of developers—and violating them is costly. Companies have given up intellectual property, faced high-profile lawsuits or even lost the ability to sell simply because they have no way to understand what their developers use. For large companies with high exposure, this issue extends to huge gaps in their preparedness for modern development.
Throwing people at the problem
Modern development is all about moving fast. Code sharing allows you to skip huge development cycles, agile pushes your team to move quickly and CI/CD is all about automation.
However, today’s answer to license compliance is incompatible with how we want to write software. Companies have to rely on experts, lawyers and developers to manually audit their codebases and painstakingly manage large spreadsheets of data per-release. Because of this, at some companies developers must wait for months of legal review every time they wanted to use an open source library or ship some code. Development has become too quick and too reliant on open source software for slow, manual processes to succeed.
A lot of it falls back to this issue: developers don’t speak copyright law, or rather, copyright law doesn’t speak developer.
Years ago, I built a small resource called tl;drLegal to make open source licensing easier for developers — inspired by the internet’s common treatment of legalese: tl;dr (“Too long; didn’t read”). Instead of parsing a 13-page mind-boggling LICENSE file, developers could look up any license summarized in plain English:
Today, the site has grown to become a standard resource on open source licenses, reaching over 1M developers and backing by the Open Source Initiative.
This project revealed how the developer attitude towards licenses created risk for larger companies. With the support of a Thiel Fellowship and some great investors, FOSSA was born — a product to help you manage your open source licenses that understands your modern workflow.
Speaking modern development
Here at FOSSA, we believe that new products need to fit your workflow, not the other way around. Instead of adding layers of manual review, retroactive audits, training or approval at your company, you should be able to keep your development workflow going with an automated compliance process you can trust, running in the background.
FOSSA integrates with your code and workflow tools to continuously audit your open source dependencies. We scan for licenses, compliance issues and analyze your code, using all the data we gather to keep your code compliant in realtime.
Some examples of what we do:
- Proactive, full code scans for unlicensed dependencies, policy conflicts and other licensing issues w/actionable fixes (sync’d with trackers like JIRA)
- Alerts and plugins to emails, Slack channels, code review, CI/CD, and more…
- Default license policies and request templates for common app types written by top lawyers (~$50,000 legal work baked-in)
- Automated disclosures & attribution collected from full source scans — either hosted/updated for you or downloadable (PDF, Markdown, HTML)
- And much more (plain english license checklists, release comparisons, dependency management/exploration, history and audit logging, build analysis, APIs, etc…)
You can see a full feature tour here.
Because FOSSA keeps your code clean in realtime, one of the great benefits is how much flexibility this adds to releases. Instead of waiting on legal review, developer teams can ship at any time, relying on FOSSA to handle compliance reporting around outgoing code and analyze all inbound code. For instant setup, we configure to your workflow with automatic tooling integrations to make Slack, code review, CI or whatever you use smarter.
Check our customer SmartThings who makes dozens of releases a day with FOSSA!
What’s launching today
For the past year, FOSSA has been incubating at some of the most cutting edge software teams from mid-stage startups to the Fortune 50. Across energy, enterprise software, embedded systems, consumer products and more, FOSSA customers have collectively made thousands of releases with our tool to millions of end-users.
Today, a free version of our product becomes widely available through a public beta. Alongside, we’re launching a “For Business” offering that bundles a bunch of commercial features and an on-prem option for $499/repo/mo.
Currently, FOSSA supports a variety of languages (like Java, Python, JavaScript, Ruby, ObjC/Swift, Rust, Go and more…) and full git-branching coding/review workflows. Over the next few months, we will begin unlocking more features and integrations, as well as introduce new options designed for small companies and open source projects.
Our ultimate goal was to turn a process that took years to integrate into minutes; try it for yourself and tell us how you think we did!
What’s next?
We have big plans for 2017 to get FOSSA’s features available to the broader community in creative ways. We’ve already partnered with great organizations in open source like npm, Sourcegraph, the Linux Foundation and more to bring free, awesome integrations to popular existing tools!
We believe FOSSA fills a gap in every software company’s toolkit which is only widening as we become more dependent on open source. The universe of problems around what goes into our code is immense, and we want our customers to bring in a solution that will continue to grow.
From here I encourage you to join our beta, read about our customers, test out a partner integration or show us some love on HackerNews or ProductHunt.
Thanks for reading—and I can’t wait to hear about what you discover in your code!
Follow us to stay in touch,
Kevin
A special thanks to our customers, team and friends of FOSSA.
If you work closely with code analysis, build systems or open source — we need your help! Email kevin@fossa.io. In return, we guarantee late nights filled with deeply satisfying technical problems; the type to haunt your dreams, tell your friends about and make your morning Cheerios look like nodes in dependency graphs.