No one ever became a programmer so they could mange open-source licenses. But, that's what many developers must do these days. Black Duck Software[1], the open-source software logistics and legal solutions provider, and North Bridge[2] found in 2015 that 66 percent of companies create open-source software[3]. That's great, but all that code comes with a wide variety of licenses, each with its own set of requirements. What's a developer or company to do?
There have long been corporate programs, such as those from Black Duck Software, White Source Software[4], and Sonatype[5], which provide code scanning and open-source licensing management. This isn't a small job. According to Sonatype, the average application contains 106 open-source components.
Kevin Wang, CEO of FOSSA[6], has a different approach. The 22-year-old founder told me at Open Source Leadership Summit[7] in Sonoma, CA: "Code scanning is not enough anymore. FOSSA's approach to dependency scanning leverages both static and dynamic code analysis. Dynamic analysis allows FOSSA to get an accurate, live view of what dependencies are pulled into builds. Static analysis supplements the results with metadata on how dependencies are included to power deep intelligence features and recommendation engines. Both these approaches are used to build the most accurate, performant, and intelligent infrastructure for managing your open source."
That's all well and good, but by open-sourcing its dependency analysis infrastructure[8], the company is taking an interesting step forward. FOSSA is using open source to automatically manage open-source licensing. I like this plan.
The program supports over 15 languages and environments[9]. These include JavaScript, Java, Ruby, Golang, and PHP. FOSSA today is a web service, written in Go, that