Using FOSSA for License Compliance

Using FOSSA for License Compliance

Technical leaders are often caught by surprise during diligence on a round or exit: the list of asks is long, daunting, and seemingly designed to slow down the process. There’s one diligence ask that I have seen derail rounds and exits that’s not nearly as hard to manage as it may seem… the developer tool FOSSA

Projects are usually littered with code from many sources. From importing via package manager to copy and pasted from Stack Overflow (a very risky practice, as establishing a chain of ownership is nearly impossible), developers add dependencies in a variety of ways.

For an acquirer or a venture capitalist, this is problematic. As an example: Facebook’s original license for React included a reasonable IP assignment that could theoretically prevent a company for suing Facebook for anything related to patents (they have since re-licensed it to MIT). For a startup, this is a fair trade off: the likelihood of ever engaging with Facebook on a legal scale is low, while the velocity gained from using React is high.

Even items like packages licensed with certain GPL versions means an unacceptable risk for corporate compliance teams.

Historically, this meant all-hands going through the code base, refactoring where code authorship can’t be established, or hiring an external consulting firm to do it for a substantial amount of money. Over my last exit (and our Series A financing here at PullRequest), I found a better approach with much less friction.

Step 1) Sign Up for FOSSA

GitHub, Bitbucket, and GitLab integrations are available, as well as manually uploading an archive of your project if you host your code in other places. Make sure to pick whether you’re distributing code or offering a web service, as FOSSA will suggest a sane set of rules to check for within your project.

Step 2) Run Your Code Through FOSSA

Wait for the inspectors to run; a successful run will be pinned to the branch or version of the project that you have manually uploaded.

Step 3) Generate A Report

A list of compatible, non-compatible, and action items for adherence will appear. Most legal firms will want PDFs of these pages; they are helpfully print formatted and make an excellent combined file when complete.


That’s all there is to it. While this won’t completely replace a strict monitoring of your development team for bad behaviors (for instance, copying and pasting the entirety of a Stack Overflow answer), it will save you a ton of time during diligence.

At PullRequest, we recommend making this part of your work flow. We attach the resulting badges to each of our repositories, that way we know if we’ve introduced something that’s incompatible with our targeted policy.

Here’s an example license badge for one of my open source projects (a PHP wrapper for the background search service Checkr)

FOSSA Status

About PullRequest

PullRequest is a platform for code review, built for teams of all sizes. We have the world's largest network of on-demand reviewers, backed by best-in-class automation tools. Because code quality is important.

Learn more about PullRequest

Lyal Avery headshot
by Lyal Avery

August 9, 2018