Featuring: Kris Borchers, Executive Director
The JS Foundation (home of ESLint, jQuery, Mocha, webpack and more) supports the critical infrastructure that runs 75% of the top one million websites in the world.
of the Internet
We aim to be the driving force for application developers in the standards of the language that runs the web.
The JS Foundation needed a reliable, trusted and automated way to monitor, manage and maintain license compliance / dependency tracking across the JSF’s major projects that would also allow each project to maintain its autonomy.
FOSSA works on a continuous basis; scanning all source files in a project and its dependencies for license violations. It can integrate with the development workflow, automatically triggering Slack notifications, blocking Pull Requests that bring in dependencies with incompatible licenses, and generate attribution reports with raw copyright headers to certify releases with compliance standards. FOSSA makes compliance easy and automated for developer teams to scale.
Real results were detected within minutes from the initial evaluation which established trust early on and was a key factor during the selection process. FOSSA’s ability to integrate seamlessly into the developer workflow also made FOSSA the clear choice.“The ability for developers to adopt it naturally and choose it as part of a toolchain is awesome. We can enforce JSF policies in the same place too which is great for increasing our visibility across all projects.”
Kris spearheaded the FOSSA deployment and chose to start with basic license checks across the main group of repositories for its major projects. The first step was to identify a project maintainer for each project to be set-up with a FOSSA account. Following the account set-up, each project maintainer was given the ability to enable per-commit scanning, integrations with their CI systems, or even Pull Request comments to run potential contributions against licensing standards. From start to finish, the initial deployment was kicked off in minutes, with a full deployment rolled out organically within the week.
Deployment Summary To-Date:
- 24 license-certified projects and active teams
- Over 2000 components actively tracked, scanned, analyzed
- Release badges and certifications rolled out across public-facing homepages / documentation
We found real results with FOSSA quickly. For example, there was one instance where we found misleading metadata which looked like GPL code. Because the issue was flagged, we were able to get ahead of it and resolve the issue before it turned into anything major.
Implementing FOSSA lessened the burden of manual tracking across both Legal and Development teams through automated and continuous license compliance scanning. More importantly, FOSSA certifications were proven to run with audit-grade detail, and has therefore instilled a sense of trust that real issues are being tracked, monitored and flagged.
Knowing FOSSA is protecting our projects has been the biggest value to us. It would take hundreds of man hours to comb through every dependency across every project.
FOSSA was built by developers for developers, ensuing a developer-friendly environment that has led to organic adoption across the JS Foundation, and is currently running on 24 of its 28 projects. “We’ve had a great experience using FOSSA and have increased visibility across multiple projects. As a result, we’ve discovered potential issues that our project leaders and development teams have been able to get ahead of and correct. Knowing and understanding the circumstances of what FOSSA has found has instilled a lot of trust and is why FOSSA has become the baseline license compliance certification provider for the JS Foundation.”
The JS Foundation will continue to recommend FOSSA for license compliance and dependency tracking across the JSF as new projects and project leaders are on-boarded. According to Kris: