FOSSA for a secure and trusted automotive ecosystem
- License Compliance: with automotives getting more electronic by the day, software and open source has become an important part of their supply chain. With hundreds of different licenses, ranging from permissive to strong copyleft — and multiple layers of dependencies — compliance should be a priority to avoid legal risk, including the possibility of being forced to release their entire source code, and significant financial and reputational damage.
- Software Bill of Materials: the technological advancements in the auto industry — coupled with high quality standards in the industry — has brought into focus the importance of getting into the software supply chain like software bill of materials (SBOM) which enable auto organizations to track and address security vulnerabilities and potential open source license compliance violations.
- Vulnerability Detection & Management: with the number of open source vulnerabilities continuing to rise year over year it becomes very important for automotive organizations to have real-time, accurate visibility into OSS vulnerabilities, as well as the infrastructure to support rapid remediation.
- Code Quality: with the number of open source vulnerabilities continuing to rise year over year it becomes very important for automotive organizations to have real-time, accurate visibility into OSS vulnerabilities, as well as the infrastructure to support rapid remediation.
“FOSSA told me exactly when there was an issue, what the issue was, and then I could work with the engineers on next steps. It enabled us to deploy software at scale. We could keep doing what we were doing and feel that we were in compliance with all of our open-source obligations.”
Patrick Lonergan, Former Associate General Counsel at cicleci
FOSSA, a modern, devops-friendly open source management platform enables the following:
- Comprehensive Vulnerability Detection: security teams benefit from a continuously updated vulnerability database that fuels real-time alerts across all projects.
Intelligent Issue Resolution: Automotive organizations get actionable guidance to resolve compliance issues and remediate vulnerabilities. - Developer-Friendly: Developers get compliance violation alerts in real time via Slack, Jira, or email, and can make any code changes directly in their preferred environments.
- Improved Code Quality: Identify and replace outdated components and reduce technical debt with FOSSA’s Quality Feature.
- Broad Ecosystem Support: Identify and resolve security and compliance risk across a wide range of languages, including C,C++, monorepos, RPM, Debian, Jars, and more.
- Strong Access Control: Follow principles of least privilege with customizable roles and permissions.
- Fast Time to Market: FOSSA integrates with commonly used build systems (e.g., Travis, Jenkins, CircleCI) and repositories (e.g., GitLab, Bitbucket, GitHub), enabling automotive development organizations to shift left and accelerate the SDLC.
- Automated Reporting: Compile software Bills of Materials and stay audit-ready with real-time, standardized reporting at scale across a variety of development environments.
AOSP notice files: Automated workflow to generate a "full" version of the AOSP NOTICE file and provide a workflow to inspect, approve and (if necessarily) manually override our generated NOTICE file.
“It would take approximately two to three weeks of dedicated engineering time by a single release engineer to go through license compliance. With FOSSA, our license compliance review took five to ten minutes.”
Eric Griswold, Principal Release Engineer at puppet