A private artifact repository is a centralized storage location to keep open source software packages that developers can use as a resource to help mitigate risk and standardize your open source usage. While private artifact repositories are helpful for collaboration and convenience, there are a few limitations that you should watch out for when it comes to ensuring open source license compliance.
3 Things to Watch Out for with a Private Artifact Repository
1. Developers Can Bypass Your Repository
Just because you have configured a repository, does not guarantee that all of your dependencies will be hosted and sourced from it. Often times, developers find it necessary to bypass the repository and retrieve packages directly from the internet or other sources. They do this because the packages from the repository can sometimes be outdated and linking directly to the component provides the most updated version with the features they need. For example, when teams are building apps they use packages from outside of the repository.
2. Incomplete Coverage
With a private artifact repository, you will usually detect open source licenses only when the license files are also included in the repository. However, if the license or copyrights are embedded into the code itself, they are most likely going to be missed. If the licenses and copyrights are missed, it could lead to lawsuits and loss of trust from the open source community. Only a full source code scan across your existing codebase and all of the dependencies will be able to identify the complete set of OSS licenses. Furthermore, because repository workarounds are sometimes required to get the most updated version, the only way to identify all open source software components is a full source code scan.
3. Non-Automated Workflow
Even when you have identified all of the dependencies, it still takes a lot of time and effort to review those dependencies to determine whether or not they should be used in your software. You still need to get the details of the dependencies, organize the attribution data, interpret the license, and determine the compliance rules around them. This process usually takes days and weeks to complete, and sometimes requires you to implement a code freeze while your audit is underway. When developers and legal teams have to manually review all of the dependencies they are taken away from key, revenue-generating business initiatives. This time-consuming process can cause delayed releases, decrease productivity, and create friction between your legal and engineering teams. By automating this workflow, a burden is alleviated and engineers are empowered to do their jobs more efficiently without having to pause their work to check each dependency.
FOSSA was built to help eliminate these three pain points. Our sophisticated dependency discovery agent automates the discovery of the license and copyright notices along with all the relevant information. We apply customizable policies, which automate most of the compliance decisions for you. More importantly, we seamlessly integrate with your developer ecosystem to eliminate friction while streamlining the interaction between your engineering, open source review, and legal teams.