SBOM Starter Kit: Get Your Copy

Reliability and Autonomy in Open Source License Certification


The JS Foundation — home of 28 projects including ESLint, Lodash, jQuery, Mocha, webpack, and more — supports the critical infrastructure that runs 75% of the world's top one million websites. By creating a center of gravity for the open source JavaScript ecosystem, the JS Foundation’s mission is to drive broad adoption and continued development of key JavaScript solutions and related technologies.

The Challenge

A unique feature of the JavaScript ecosystem is its liberal culture of code-sharing. Even small JavaScript projects are known for notoriously pulling in thousands of third-party dependencies.

"It’s impossible to manually keep track of JavaScript dependencies. Open source software is now a huge part of business."

One of the main services the JS Foundation provides is legal oversight for its projects. Nearly every web business depends on open source JavaScript libraries, and the JS Foundation must ensure that this infrastructure is safe. “We want to make sure we are protecting our projects from a legal standpoint. There are so many dependencies to review even within one project, let alone 28 of them. We cannot afford to pay a lawyer to go through every single dependency across every project.”

Compliance certification is critical. “If we’re not doing our due diligence to assure the users of our projects are safe, there’s potential for major business risk.” If an issue were to slip through the cracks, millions of users could be impacted. With the JS Foundation housing the web’s critical supply chain, the longterm sustainability of the JavaScript ecosystem hinges on its success.

The Solution

The JS Foundation needed a reliable, trustworthy, and automated way to monitor, manage, and maintain license compliance and dependency tracking across its major projects while also allowing each project to maintain its autonomy.

FOSSA works on a continuous basis, scanning all source files in a project and dependencies for license violations. It fully integrates with the development workflow, automatically triggering Slack notifications, blocking pull requests that bring in dependencies with incompatible licenses, and generating attribution reports with raw copyright headers to certify releases with compliance standards. FOSSA makes compliance easy and automated for developer teams to scale.

Real results were detected within minutes from the initial evaluation, which established trust early on and was a key factor during the selection process. FOSSA’s ability to integrate seamlessly into the developer workflow also made FOSSA the clear choice. “The ability for developers to adopt it naturally and choose it as part of a toolchain is awesome. We can easily enforce policies, increasing our visibility across all projects.”

Kris spearheaded the FOSSA deployment and chose to start with basic license checks across the main group of repositories for its major projects. The first step was to identify a project maintainer for each project to be set-up with a FOSSA account. Following the account set-up, each project maintainer was given the ability to enable per-commit scanning, integrations with their CI systems, or even Pull Request comments to run potential contributions against licensing standards. From start to finish, the initial deployment was kicked off in minutes, with a full deployment rolled out organically within the week.

Deployment summary:

  • 24 license-certified projects and active teams
  • Over 2000 components actively tracked, scanned, and analyzed
  • Release badges and certifications across public-facing homepages and documentation

"We found real results with FOSSA quickly. There was one instance where we found misleading metadata that looked like GPL code. Because the issue was flagged, we were able to get way ahead of the issue."

The Results

Implementing FOSSA lessened the burden of manual tracking across both legal and development teams through automated and continuous license compliance scanning. More importantly, FOSSA certifications were proven to run with audit-grade detail, and have  instilled a sense of trust that real issues are being tracked, monitored, and flagged.

"Knowing FOSSA is protecting our projects has been the biggest value to us. It would otherwise take hundreds of man-hours to comb through every dependency across every project."

The JS Foundation will continue to recommend FOSSA for license compliance and dependency tracking as new projects and project leaders are onboarded. According to Kris, “Every open source organization should implement license and dependency tracking. Based on our experience, we would recommend FOSSA to organizations that have large projects or lots of ongoing projects. And especially if you’re using JavaScript.”

"If I’m a business and see a FOSSA badge, it’s a huge plus for ensuring license compliance certification."