Announcing Support for CycloneDX and SBOM Import - Learn More

The Power of Automation: How Puppet Saves Hundreds of Hours a Year on Open Source Compliance

Puppet, a global leader in IT automation, has been a staunch supporter of open source software since day one. It not only contributes to several open source projects (like Ruby, Visual Studio Code, and Leiningen), but it’s open sourced a version of its automation tool for the world to use. Additionally, Puppet leverages numerous open source libraries in its paid offering, Puppet Enterprise.

Puppet’s commitment to being good stewards of open source extends to the way it approaches license compliance. The organization follows detailed policies to ensure its products continuously comply with licensing requirements.

Unfortunately, the process of actually applying those policies used to be quite challenging. Puppet had to devote 2-3 weeks of dedicated engineering time to review potential open source license compliance violations before each new release. 

“None of the engineers who had to do the manual license review work wanted to be doing it,” recalls Principal Release Engineer Eric Griswold. “We all hated it. So if there was a tool to take care of it, we were all saying, "Yes, let's get that.”

In FOSSA, Puppet found just that tool. FOSSA is a software composition analysis solution that automates compliance workflows, accelerates remediation, and saves massive amounts of time across multiple teams. In Puppet’s case, the time savings amounted to a reduction of more than 99% in engineering hours spent on compliance.

"With FOSSA, our license compliance review takes 5-10 minutes. We're extremely happy with the results"

Eric Griswold, Principal Release Engineer

Embracing Automation

Before implementing FOSSA, Puppet’s engineering team struggled through a “slow, onerous, and time-consuming” manual license compliance process, Griswold says.

Prior to each Puppet Enterprise release, the developer responsible for conducting compliance checks would manually open all tarballs and review every file inside. The objective was to understand licensing obligations for each open source component — including dependency trees. 

“If you’re looking at a post-production tarball, the relationship to the source code isn’t necessarily obvious,” Griswold says. “Getting back to the source code to discover the licensing takes time."

“We had to go through and look at each one to see how it had changed from the previous version and see if we’d need to investigate any change of license in each one of those.”

After learning of FOSSA as a potential solution, Griswold put the tool through a rigorous evaluation to determine whether it would do the job. FOSSA passed the test with flying colors. 

“I pointed FOSSA at all our source code repos and set up a Jenkins job to do the daily analysis of all the source code and all the deep dependencies in the source code,” Griswold says. “It started spitting out verifiably accurate information. That’s when we said, ‘Hey, this will save us 2.5 weeks of engineering effort when we do a release.”

“Everyone seemed to like that idea.”

Simple, Speedy Implementation

Adding new tools to an organization’s tech stack can be complicated, time-consuming, and frustrating. Fortunately, Griswold and Puppet enjoyed a seamless implementation with FOSSA.

“The initial setup was extremely straightforward,” Griswold says. “From licensing it until bringing it into production on a day-to-day basis, it took about a day and a half.”

FOSSA’s pre-built policy options, which were developed in consultation with OSS compliance experts Heather Meeker and Mark Radcliffe, were a big reason why. Griswold was able to easily merge Puppet’s existing compliance policies with FOSSA’s out-of-box options.

“FOSSA's policy engine is easy to use and makes sense,” Griswold says. "It works extremely well.”

“When we were doing compliance manually, we had guidance from our legal team about which licenses we did and did not want. When I got FOSSA set up, I made a copy of one of FOSSA’s pre-built options and a copy of our existing rules and spent 1.5 or 2 hours merging them, and we’ve been running with that since. Our legal folks seem happy with it."

Puppet’s engineering team feels similarly. In addition to reaping significant benefits from the power of FOSSA’s automation, the team appreciates the fact that FOSSA supports a broad range of programming languages.

“Most of our code is in Clojure and in Ruby and all the things that we want FOSSA to do there are great,” Griswold says.

Compliance with Confidence

Like many modern software applications, Puppet Enterprise is built with both closed and open source components. Griswold estimates that Puppet Enterprise includes roughly 90 open source packages — many of which are under constant development.
Since Puppet uses a mix of proprietary and open source, its chief concern is avoiding using OSS libraries licensed under GPL 3 or other copyleft licensing. Otherwise, Puppet would be required to release its entire source code should it make and distribute any modifications. 

FOSSA gives Griswold and his team peace of mind that they won’t find themselves in that situation.
“FOSSA points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me,” Griswold says. “It's hard to find fourth- and fifth-level dependencies inside that chain, and FOSSA does a great job finding that stuff and reporting how it got there.”

Couple comprehensive, accurate results with substantial time savings, and it’s safe to say Puppet is pleased with its decision to make FOSSA an integral part of open source compliance.

“It works extremely well,” Griswold says. “I'm glad that I have a tool to replace a bunch of manual drudgery.”