Kevin Wang and his team at FOSSA have carved out a niche for themselves in the open source product space with the launch of their license compliance and dependency analysis tool. The company announced a $2.2 million seed round this week after completing a year-long private beta period with Fortune 500 companies. FOSSA continuously scans dependencies and offers reports at each commit to help companies meet the legal obligations of compliance as they are incorporating open source libraries.
The public beta is now free and open to anyone, offering support for up to 5 public/private repos and scanning three levels deep with open source reports. A $499/repo per month commercial option is also available with unlimited scan depth and customizable open source reports.
“It’s mind-boggling that in 2017, software companies don’t really know what’s in their code,” Wang said. “90% of it now comes from third parties like open source (OSS) codebases. Although it sounds trivial, it’s actually really difficult to keep track of what your developers use. Most of this code isn’t explicitly included — instead it’s brought in automatically by complex tool behavior or one of the million ways developers casually share code.”
FOSSA can detect license and policy violations and unlicensed dependencies before an expensive mistake is fully integrated into a project. The real-time feedback forces developers to consider how they are using the libraries they are building into their software.
Competitors like WhiteSource and Black Duck Software, which offer open source risk management tools, detect and display licenses for components and dependencies for applications but seem more focused on bugs and vulnerability reporting. FOSSA is solely focused on OSS license compliance and automating disclosure and attribution.
Compliance is becoming increasingly difficult as developers can easily execute a few commands and import dozens of npm modules that inherit licensing obligations from a myriad of different sources. Even governments and large companies with plenty of resources struggle to keep track of all the open source requirements of the software they are using.
In 2013, Healthcare.gov violated an open source license when it used the DataTables jQuery plugin without the required attribution. Last year, Google was embroiled in a court battle with Oracle over the use of Java in Android.
A tool like FOSSA could have helped Wix catch its violation of the GPL in 2016 when the company used GPL-licensed code from the WordPress mobile app and distributed it in its proprietary app. FOSSA aims to catch licensing issues before they become expensive problems for developers to rework and lawyers to settle.
A few years before beginning work on FOSSA, Wang built tl;drLegal, a site that explains software licenses in plain English. The free resource received backing from the Open Source Initiative and has been used by more than a million developers. Wang said he “sees FOSSA as an attempt to tackle similar problems in a commercial scenario.”
FOSSA will be expanding its pricing options later this year. At the moment, the free beta and the $499/month commercial options leave a gaping hole that excludes smaller organizations. Wang replied to pricing questions on ProductHunt, saying that they are targeting enterprise customers first but plan to introduce more options for small teams and individuals.