Our primary use case was for the license compliance. We were doing all the open-source scanning in our CI build using FOSSA. So we would use it, have a step where FOSSA would be installed, and it would scan all the open-source libraries that were being used and then report back on what those licenses were. Then that would match up with policies that we had preset in the FOSSA UI and let us know if there are any license violations with our use of open-source.
Prior to FOSSA, we were really struggling to get priority using FOSSA to get open-source set up on a repository. We were actually using Flexera before we came to process and we would run a scan on one of our repos and get around 10,000 results and I'm one person and this is a tiny fraction of my job. I didn't know how I was ever going to get through all those results and once I saw what FOSSA could do, we were up and running on a lot more repos much more quickly with FOSSA. It wasn't giving us tons of false positives, FOSSA was just giving us what we cared about. We had presets and it was matching against policies. That was a big thing.
FOSSA provides functionality that allowed you to do public reports as the dependencies you use. So if you were doing attribution for a mobile app, for example, you could iframe FOSSA's report of all the dependencies and use that as the attribution that they require for a mobile app or other distributed software. That was really nice. That was a functionality that put them ahead at the time. Prior to using FOSSA, we would run these scans and we had figured out the tendencies and then I had the engineers implement it in the mobile app with all the lists of all the attributions we needed. If something changed, I would have to have the engineers redo it, whereas with FOSSA, since those reports were constantly being generated every time CI build was run, then that list was always up to date. I didn't have to worry about the engineers updating it or keeping it current if something changed. That was a really nice functionality I liked.
FOSSA provided us with contextualized, easily actionable intelligence that alerted us to compliance issues. I could tell FOSSA exactly what I cared about and they would tell me when something was out of policy. I don't want to hear from the compliance tool unless I have an issue that I need to deal with. That was what was great about FOSSA. It was basically "Here's my policy and only send me an alert if there's something without a policy." I thought that it was really good at doing that.
As soon as I got an alert from FOSSA, I could reach out to the engineers who were working or owned that repo and say FOSSA's telling me that we're using this dependency that's out of our policy or if they can't find a license for the dependency or whatever it was, and it would tell me exactly what the issue was. There's no license on this dependency and then I could just tell them exactly what the issue was. They could look into it and say, "Oh, actually there is a license. For some reason FOSSA wasn't picking it up." Or, maybe the projects dual licensed and FOSSA thought it was GTL, but it's actually GPL and it would be a fee.
I felt that FOSSA told me exactly when there was an issue, what the issue was and then I could work with the engineers to easily figure out if there truly was an issue that needed remediation, or if it was some sort of course in-process tool. The other thing that was helpful is that a lot of times people will come and say "Send me a list. What are all the dependencies that we use on this project?" I could easily generate those reports in FOSSA. I could go in and see where all the dependencies are and if it was a transitive or direct dependency. That's all really nicely done in FOSSA's UI. For open-source license compliance, FOSSA had the nicest UI of any of the products that I looked at. We tried a few. For me on the legal team, that was really what I cared about.
I would describe FOSSA as being holistic in that it helps us work with both legal teams and DevOps. Our engineers found it easy enough to use. I think a lot of engineers are willing to follow a policy but they're not really interested in being in charge of managing it. They like the fact that they could easily get in the tool and see if there was an issue and that they didn't have to do a lot of tinkering with it to keep it running. That was probably their favorite part about it was that it was easy enough for them to use and help me out, but didn't require a lot of work on their part.
It enabled us to deploy software at scale. It's a huge company. We could keep doing what we were doing and feel that we were in compliance with all of our open-source obligations.
FOSSA also decreased the time our staff spent on troubleshooting. It helped us save time with staying on top of open-source license compliance. Once it was set up, it kind of ran itself. It only reached out to me with an issue when it thought there was one.
I would say it probably saved me on average five or six hours a week. It's allowed me to only spend a few hours a week doing things related to open source license compliance, which I thought was great.