SBOM Starter Kit: Get Your Copy
Before raising a major new round of funding, leading AI solutions provider Groq went through a comprehensive due diligence process. Its prospective investor brought eight lawyers and made a non-negotiable request: Provide a comprehensive, accurate open source inventory and license list — and demonstrate compliance with the requirements of those licenses — or risk delaying or even jeopardizing the fundraising round.
“The due diligence process for fundraising is not inconsequential,” says Groq Patent Counsel Craig Shinners. “It can be a fairly heavy lift. Especially investors that have been through a lot of software projects before know that open source is a big issue; it can be a real sore spot if the fundraising company doesn't take care of their process and procedures."
But thanks to Shinners, Consulting Patent Agent Bruce Busby, and the rest of Groq’s legal team, Groq very much had its house in order. The company implemented FOSSA’s open source management platform well in advance of the audit, so it had an up-to-date software bill of materials (SBOM), including open source components, licensing information, and proof of compliance.
Additionally, because Groq had created and implemented rules in FOSSA that prevented copyleft licenses from being used in distributed products — a top priority for the prospective investor — Groq didn’t have to unwind and rebuild any applications.
"I have experience in other due diligence matters where we pulled in legacy tools that were like a big beast,” Shinners says. “In order to run a scan with those tools, it took multiple engineers multiple days — a solid week — and, in some of those situations, they shut down the build process. And what you get back is a massive amount of data that was undecipherable to the casual reviewer.”
"But with FOSSA, it was seamless. It was fast. It was efficient. It was easy to get set up; we got the tool integrated into our build pipeline, with really no disruption ever. And the user interface is really nice, so the scan results are easy to understand."
-Craig Shinners, Patent Counsel, Groq
Like you might expect from an organization on the AI frontier, building solutions that deliver real-time AI and HPC (high-performance computing), Groq uses a large volume of open source software to fuel product development.
Before it started distributing applications (open source licensing requirements generally kick in on distribution), the company tracked its open source usage manually, through spreadsheets. Shinners and Busby knew that needed to change once the company started shipping software.
But there were several complexities in Groq’s search for the right open source management tool. For one, Groq has a non-standard build environment, meaning integration was a concern. Additionally, since it does business with federal government customers, scan accuracy and audit-grade reporting were must-haves. Finally, Groq wanted to purchase from a vendor with an established track record — but not one with so much bureaucracy that customers couldn’t get support.
In FOSSA, Groq found a platform that checked all the boxes.
“FOSSA has a good database of open source licenses and the scanning engine to detect them while meeting our security concerns about keeping our code base secure. It also has a vulnerability database and a skilled support team willing to work with our build team,” Shinners says.
This all came in handy at due diligence time.
In the period after implementing FOSSA (but before due diligence), Groq conducted several license scans to identify and resolve any conflicts. For unusual cases — such as when a scan detected reference to GPL v3, but the license was merely mentioned in the documentation — Groq used FOSSA’s Issue Resolution Notes to memorialize the context. Groq was able to easily reference these details when the matter came up during due diligence.
FOSSA also helped Groq handle a last-minute request to scan a repo not in the initial diligence scope.
“In our due diligence matter, we ended up needing to scan another repo that had never been scanned before,” Shinners says. “And, boom, FOSSA came in. We set it up for the other entity, and we scanned the repo and got the answers. We were like, ‘Hey, this is great stuff!"
-Craig Shinners, Patent Counsel, Groq
Although due diligence has been one of Groq’s biggest open source management wins, it’s far from the only one. The company reaps ongoing benefits from having the right tools and processes in place to reduce open source-related risks.
That starts with having a system for creating and implementing license compliance policies. While some organizations require engineers to consult spreadsheets with approved licenses before pulling in open source libraries, Groq builds its list directly in the FOSSA product. Then, each time a developer checks in new code, a scan is automatically triggered.
If the developer uses an open source component under a license that’s on Groq’s flag or deny list, they’ll receive a Slack notification with context to help address the issue.
Additionally, Groq doesn’t require developers to spend long hours assembling license attribution reports. Instead, FOSSA does it automatically for them.
These developer-preferred workflows — supported by Shinners, Busby, and the rest of Groq’s legal team — have helped build a culture of compliance throughout the organization.
“Our developers realized that we were watching out for their back side in the compliance process,” Busby says. “And, as a result, we now have people asking us questions in advance of trying to shove something into the build pipe. It has raised awareness among our software staff to have somebody take a look before you jump, and that I think is of immense value."
Groq also uses FOSSA’s vulnerability management product to stay on top of security issues. This includes identifying and addressing known vulnerabilities — FOSSA flags issues and provides remediation guidance, including partial and complete fixes. It also extends to identifying components without known vulnerabilities but with indicators of risk, such as outdated and stale packages.
“FOSSA helps us find when packages get old and haven't been updated in a timely fashion,” Shinners says. “We can then ping the right people and let them know we need to update to a newer version. It does a lot to help mitigate our potential exposure because we're taking a proactive approach.”
All told, between license compliance, security, and reporting, Groq has a strong foundation in place to continue to use open source efficiently and safely. And, the company has peace of mind knowing they’ll be ready for their next due diligence event, whenever it may be.
“FOSSA made it easy for us to navigate a complex due diligence process, and it’s given us peace of mind that we have control over our open source,” Busby says. “We’re comfortable relying on this tool to help us with license compliance, security, SBOMs, and audits moving forward.”
Groq is a registered trademark of Groq, Inc. and is used with permission.