CI/CD and Open Source Compliance at Scale


CI/CD and Open Source Compliance at Scale

Summary

Verizon Media — home to leading brands such as Yahoo Finance, Yahoo News, Yahoo Play, Yahoo Sports, HuffPost, AOL and more — achieves CI/CD and open source compliance at scale by combining Screwdriver, an internally built, open source, CI/CD platform with the FOSSA Open Source Management platform. Together, these tools enable Verizon Media to deploy open source compliant code at scale, reducing costs, mitigating risk, and accelerating innovation. 

Open Source Compliance

Verizon Media develops and delivers dozens of mobile applications across the global marketplace. These include popular consumer products such as Yahoo Finance, Yahoo Fantasy Sports, and Yahoo Play, as well as, B2B products for advertisers and app developers. Mobile apps present a challenge when it comes to maintaining open source compliance. They are composed of many libraries, which in turn are composed of many libraries. Much of the underlying ecosystem used to develop mobile apps is open source. Thus, when using open source components in an app, an app publisher is obligated to disclose the license and copyright information associated with those components. This can be challenging with one or two apps, and daunting with dozens of apps to manage. 




Measure Everything

To ensure Verizon Media’s apps are high quality, a dedicated team known as the Mobile Excellence Team measures how fast the apps load, how much space, battery, and network bandwidth they use, how they look on dozens of devices, and of course, what libraries they use. Measuring is essential to improving things. It also helps by providing lists of all libraries we use.

The team selected FOSSA to help manage open source compliance across the company. FOSSA provides analysis of mobile apps, compiled during the build. This helps identify what’s really in the code, not just what should have been in the code. But implementing a new tool across dozens of engineering teams could be a huge challenge. Different teams operate slightly differently and that makes integration challenging. To address this, the Mobile Excellence team standardized their build process by using Screwdriver, an open source CI/CD platform built by Yahoo. The standardized tooling improves overall build quality and consistency. Moreover, leveraging Screwdriver’s simple configuration files made it easy to implement FOSSA across all the mobile engineering teams at once.  

Integrating FOSSA within the build process for Verizon Media mobile apps not only ensures apps are compliant with open source licenses but also generates automated credit reports that we include in each app.

Mani Subramaniam, Software Development Engineer, Verizon Media

CI/CD at Scale

Across Verizon Media, nearly all mobile apps are built using Screwdriver. Screwdriver treats build-instructions like code. Adding new instructions to a build process is as easy as writing code and getting it committed to the master branch. This made implementing FOSSA at Verizon Media straightforward. The Mobile Excellence team configured the FOSSA settings and tested it on a few apps. After testing the scripts, the team made a few configuration changes to the existing iOS and Android build scripts and with that, FOSSA started to run during the builds. The team set up two scripts, one that allows teams to run FOSSA on demand, and the other that sets FOSSA to run by default on test and production builds. This way new apps can work out any issues iteratively before setting FOSSA to run by-default.

By using FOSSA and Screwdriver, Verizon Media can deploy software at scale with confidence. Continuous  integration, continuous delivery, and continuous compliance are required for any product to provide value.

Gil Yehuda, Sr. Director of Open Source, Verizon Media

Results 

After implementing Screwdriver and FOSSA, Verizon Media scanned hundreds of projects, as well as thousands of builds, dependencies, and unique dependencies. This proved the solution could scale. Automating open source compliance with FOSSA saved both the legal and development teams a significant amount of time. For example, instead of manually auditing open source packages and associated licenses project by project, FOSSA automatically scans and validates the associated licenses during each build. 

Integrating FOSSA as part of the CI/CD process using Screwdriver, Verizon Media can detect licenses for open source dependencies in real-time.

Balaji Som Singh, Director of Systems Engineering, Verizon Media

To learn more about Screwdriver, click here.