How to Choose an Open Source Software License Compliance Tool

Nearly every major organization in every industry uses open source software (OSS) to help drive application development, and for good reason. OSS is free to use, often backed by a community of committed developers, and enables companies to tap into the newest technologies.

In exchange for reaping these numerous benefits, OSS users are asked to do one important — yet, sometimes very challenging — thing: Comply with open source license requirements.

While organizations once fulfilled these obligations via manual and time-consuming processes (i.e., lots of Excel spreadsheets), the explosive growth in OSS has prompted users to embrace automation. But, while there is no shortage of open source compliance tools on the market today, there's a big difference between those that provide basic and insufficient scanning capabilities and those that truly enable continuous compliance.

So, as you embark on your search for a new compliance tool, keep these five requirements in mind.

1. Delivers Comprehensive and Accurate Scanning

The first step to ensuring compliance with open source licensing requirements is gaining the full view of your open source components. A tool should reveal dependency names and versions, copyright information, and the file where found. A truly comprehensive scan will also surface hard-to-find information like deep dependencies, inclusion paths (dependency trees), and both declared and embedded licenses.

Of course, this data must also be accurate — a scan that produces false-positives can cause compliance teams major heartburn.

2. Enables Automation and Scale

Comprehensive and accurate scanning are vital ingredients in any effective open source software compliance tool, but equally critical is the ability to scale and automate policy creation and enforcement. This goes a long way toward ensuring compliance won’t become a bottleneck for development velocity. Consider prioritizing these four features as you evaluate whether your compliance tool qualifies as a policy engine.

Ready out-of-the-box: Compliance tools should come with pre-built options so organizations can quickly get up and running. Ideally, compliance tool vendors should develop these out-of-box options in partnership with OSS legal experts to ensure effectiveness. For example, FOSSA worked with Heather Meeker and Mark Radcliffe, two of the world's foremost OSS compliance experts, to create our pre-built policy options.

Customizable: Teams that want to draft their own policies governing OSS compliance should be able to do so with ease. Look for an intuitive user interface (perhaps even drag-and-drop) that makes it easy for teams to set rules that fit their needs. Additionally, the policy engine should enable organizations to create different policies for different products, projects, teams, and repositories.

Context: The policy engine should enable organizations to go a step beyond simple go or no-go flags. It should also allow users to create context-aware policy rules such as those based on linkage criteria, source, and modifications.

Automation: OSS compliance solutions that offer automation wherever possible go a long way toward helping users save time and ensure continuous compliance. For example, features like auto-approving "green" licenses can reduce the workload on compliance teams, and the option to block builds containing red/yellow licenses can help engineering avoid a lot of pain down the road.

3. Integrates with Existing Processes

Although compliance/legal teams are often tasked with managing an organization's OSS compliance program, they can't do it alone. DevOps and engineering teams also play a vital role, which is why it's so important that an open source compliance tool facilitates collaboration. In practical terms, this means the tool should seamlessly integrate with your software development practices. For example, open source software compliance tools should:

  • Support a broad range of programming languages and ecosystems
  • Integrate directly into all CI/CD pipelines
  • Enable engineers to make fixes in their native environments such as Jira, Slack, or Confluence.

4. Supports Issue Management

License compliance is important for any organization that uses open source software, but it's rare that companies have large teams dedicated to it. So, a compliance tool that helps users save time and prioritize fixes can add major value. Solutions that include relevant context for issue resolution — such as the code that triggered the flag, access to the dependency code, and other important information about the component — are particularly useful in expediting the remediation process.

Other helpful features include:

  • Multiple paths to resolution: For example, both manual and ignore-with-reason.
  • Adaptive memory: In other words, a solution that can handle manually resolved issues automatically in future scans.

5. Facilitates Audit-Grade Reporting

It's not only important for an open source software compliance tool to help organizations meet licensing obligations. It's also vital that the tool helps actually prove compliance. Reporting is particularly important for companies as part of  technical due diligence (before an IPO, M&A, or the like), but it’s relevant for all OSS users.

Your compliance tool should help you automate this final stage, especially when it comes to generating the bill of materials or open source license notices. Here are some of the must-haves for truly audit-grade reporting.

  • Reports should be updated continuously
  • Format, data, and delivery method should be customizable
  • You should be able to embed reports in your website/user manual
  • You should be able to report at product and organization levels
  • The tool should help you identify packages you need to publish

Open Source Compliance Tools: The Bottom Line

Given the volume of open source software most companies use today, compliance tools have never been more important. As you embark on your evaluation of the many OSS compliance solutions on the market today, we hope the above recommendations will serve as a good starting point. For additional guidance on selecting a best-in-class OSS compliance solution, check out our handy checklist.


Download: Checklist: Evaluating Compliance Technology