FOSSA

How do you get Engineering buy-in on OSS license compliance? You conduct compliance in the way that is most efficient.

Here are a few tips:
1. Compliance tooling is as only effective as the engineers that use it.
2. Use a broad coverage of popular programming languages.
3. Use tools that integrate with Engineering’s preferred workflows and development environments.

Learn more here: https://bit.ly/3UUH3zd

The Lawyer’s Guide to OSS License Compliance Tools, Featuring Heather Meeker Given the large volume of open source software in modern applications, it can be quite difficult to manage OSS license compliance obligations with manual processes alone. But picking the right compliance tool — and then realizing value from it on an ongoing basis — can be easier said than done, ...

Join us on December 1st to learn how to operationalize an !

It requires buy-in from the right stakeholders, building the right SBOM-related workflows, and using the right tools — and this can be easier said than done.

FOSSA's Head of Product Kenaz Kwa will discuss best practices for generating SBOMs that can be used throughout the SDLC: http://ow.ly/MSkx50LEh3V

How to Get Value from SBOMs Throughout the SDLC For all of the attention paid to SBOMs (software bill of materials) in recent years, there’s been little conversation about a mission-critical supply chain security use case: integrating SBOMs throughout the software development lifecycle. Instead, SBOMs are generated as a check-box item, placed i...

"Shifting left" refers to the idea that it’s best to identify and fix issues as early as possible in the SDLC.

In the context of open source license compliance and vulnerability management, teams should seek to conduct license compliance and vulnerability analysis integrated directly into existing engineering workflows and as a key component of the CI/CD pipeline.

The security team at UiPath shares, “We’ve seen that it’s a better experience at the CI/CD pipeline level than doing it as a git integration (the code level)."

Learn more on how leveraging FOSSA's CLI helped them reduce open source risk: http://ow.ly/sZF550LGqo3

How UiPath Reduced Open Source Risk Through Team Collaboration - FOSSA Experts from UiPath share best practices to help teams collaborate to reduce risk in their use of open source software.

software is hugely changing IP risk in the software supply chain.

With the U.S. Supreme Court poised to consider what one lawyer calls the “copyright war of the century” and disputes related to continuing to arise, the space appears to pose increasing legal and reputational risks for businesses.

In partnership with Above the Law, we created a whitepaper for companies to navigate and understand this new landscape:

1. How open-source software became so widespread
2. Why IP risks proliferate in the software supply chain
3. The perils of litigating open source issues

Read more: https://bit.ly/3g2d5Ke

3 Tips on Container License Compliance

1. Consider bringing any licensing policies you’ve applied to other areas of your organization to the container environment
2. Build a pre-approved, private registry of base images that are all covered by your organization's policies
3. Use a tool like FOSSA that offers container image license scanning and management

Learn more: http://ow.ly/rmOc50Lx1Sj

Containers and Open Source License Compliance - FOSSA The container ecosystem is fueled by open source components, which means container users must be mindful of license compliance obligations.

Evan LeBon, VP and Head of Legal of , shared how in-house counsel can ensure compliance processes keep pace with development.

Learn how the shift from a handful of releases each year to the modern world of dynamic build pipelines, automation, and CI/CD has forced legal teams to address various new challenges. Watch the recording: http://ow.ly/Zqo250LwYnr

Legal Compliance for Modern Software Development As a technology-focused attorney with several leading software companies, Evan LeBon has had a front-row seat to the evolution of software development — and the profound impact it’s had on in-house counsel. The shift from a handful of releases each year to the modern world of dynamic build pipel...

Is open source ESG?

"When it comes to open source, a company today is either part of the solution or part of the problem. These days, almost all companies use software, and most develop it as well.

Companies that have moved beyond the initial stage of using open source software, and matured to the point of releasing it—or even basing their businesses on it—have better reputations in technical communities," says Heather Meeker (Tech Law Partners LLP).

Read more here: http://ow.ly/y3Kj50LwPji

Why Open Source is ESG - FOSSA Leading IP attorney and open source software license compliance expert Heather Meeker explores the connection between ESG investing and OSS.

We're excited to announce our partnership with Itransition! Their expertise in digital solutions combined with FOSSA’s technology will allow organizations to identify, control, and remediate risk across their open source software supply chains. Read more here: https://bit.ly/3M9WgHj

Here's what happened during last week's U.S. Senate hearing on the Log4J vulnerability: https://fossa.com/blog/5-highlights-us-senates-log4j-vulnerability-hearing/

5 Highlights from the U.S. Senate’s Log4J Vulnerability Hearing - FOSSA The U.S. Senate's hearing on Log4Shell brought to light new information on the Log4J vulnerability and industry's response to it.

Several leading legal and open source experts shared strategies to ensure license compliance doesn't get in the way of a successful IPO/M&A/fundraising round in this on-demand webinar. https://www.brighttalk.com/webcast/17752/529029?utm_source=FOSSA&utm_medium=brighttalk&utm_campaign=529029

How to Ensure OSS License Compliance Doesn't Tank a Transaction If you're an in-house lawyer, today's deal market means any day may bring news of an IPO, merger, or even fast-tracked S**C acquisition. The ubiquitous nature of open source software in modern applications means it’s likely that license compliance will be part of due diligence. And, any compliance...

New: Here are our top takeaways from the Linux Foundation's recent report on SBOMs and software supply chain security. Some really interesting data on the Cybersecurity Executive Order, use of open source, & more. https://fossa.com/blog/6-takeaways-linux-foundations-sbom-report/

6 Takeaways from the Linux Foundation's SBOM Report - FOSSA A new report from the Linux Foundation contains a treasure trove of data on industry attitudes toward SBOMs and software supply chain security.

NEW: A look at common vulnerabilities impacting React component libraries — and steps to mitigate them https://fossa.com/blog/react-security-how-fix-common-vulnerabilities/

React Security: How to Fix Common Vulnerabilities - FOSSA Explore several common vulnerabilities that impact React component libraries and see how to remediate them.

NEW: Leading OSS license compliance expert Heather Meeker breaks down the AGPL and its key provisions covering network deployment. https://fossa.com/blog/oss-license-compliance-expert-heather-meeker-agpl/

OSS License Compliance Expert Heather Meeker on the AGPL - FOSSA Heather Meeker, one of the world's foremost experts on open source license compliance, discusses the AGPL and its provisions covering network deployment.

Stay up to date on all things related to vulnerabilities. Check out our new Log4J Vulnerability Resource Center, featuring blogs, an on-demand webinar, and more: https://fossa.com/resource-library/log4j-vulnerability-log4shell

Log4J Vulnerability ‘Log4Shell’ Resource Center - FOSSA Access resources to help your organization detect, remove, and upgrade vulnerable versions of Log4J.

Our latest blog explores the bizarre case of an open source developer intentionally sabotaging their own libraries. Here's what happened, how to address any issues, and the big-picture view. https://fossa.com/blog/npm-packages-colors-faker-corrupted/

Open Source Developer Sabotages npm Packages ‘Colors,’ ‘Faker’ - FOSSA The developer behind popular npm libraries "Colors" and "Faker" intentionally sabotaged both packages. Here's what to do if your application is impacted.

Hot off the presses from our engineering blog: Check out our guide to managing dependencies in Visual Studio. https://fossa.com/blog/dependency-management-visual-studio-nuget-beyond/

Dependency Management in Visual Studio: NuGet and Beyond - FOSSA Learn how to manage NuGet package dependencies for your .NET projects using Visual Studio.

Happy new year from the FOSSA team! Here's to a happy, healthy, and all-around awesome 2022.

Q and A: Leading OSS license compliance expert Heather Meeker discusses the AGPL and the license compliance controversy surrounding Truth Social https://fossa.com/blog/heather-meeker-agpl-truth-social-oss-license-compliance/

Q and A: Heather Meeker on AGPL, Truth Social - FOSSA Heather Meeker, one of the world's leading OSS license compliance experts, shares insight on the AGPL and the Truth Social license compliance controversy.

To everyone in the open source community and beyond: wishing you and yours a happy and healthy holiday season!

Is TikTok Live Studio (TikTok's new streaming service) currently in violation of the GPL v2? Here's our analysis https://fossa.com/blog/does-tiktok-live-studio-violate-the-gpl-v2/

Does TikTok Live Studio Violate GPL v2? - FOSSA TikTok recently released a limited test of a new live streaming service, TikTok Live Studio, that may be in violation of the GPL v2 open source software license.

NEW: Here's how you can quickly and easily find and fix vulnerabilities using our CLI https://fossa.com/blog/quickly-find-remediate-log4j-vulnerabilities-log4shell/

How to Quickly Find and Remediate Log4J Vulnerabilities (Log4Shell) - FOSSA See how your organization can quickly identify and remediate Log4J vulnerabilities in your code.

NEW: A look at the new denial of service vulnerability, its impact, and important mitigation measures https://fossa.com/blog/how-fix-new-log4j-dos-vulnerability-cve-2021-45105/

How to Fix the New Log4J DoS Vulnerability: CVE-2021-45105 - FOSSA See the impact of the new Log4J denial of service (DoS) vulnerability, and get guidance on how to fix it.

NEW: A look at the new denial of service vulnerability, its impact, and important mitigation measures — https://fossa.com/blog/how-fix-new-log4j-dos-vulnerability-cve-2021-45105/

How to Fix the New Log4J DoS Vulnerability: CVE-2021-45105 - FOSSA See the impact of the new Log4J denial of service (DoS) vulnerability, and get guidance on how to fix it.

This Thursday: Don't miss Heather Meeker, one of the world's leading OSS license compliance experts, on the Truth Social license compliance controversy and the AGPL: https://www.brighttalk.com/webcast/17752/521473?utm_source=FOSSA&utm_medium=brighttalk&utm_campaign=521473

Truth Social, AGPL, and OSS License Compliance The AGPL — a strong network copyleft open source software license — has been in the news because of alleged license violations committed by Truth Social (a planned Trump Media and Technology Group social media website). But while the Truth Social controversy has placed a spotlight on the AGPL, t...

On the severe and wide-ranging impact of the Log4J zero-day vulnerability, plus suggested fixes: https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/

Log4J "Log4Shell" Zero-Day Vulnerability: Impact and Fixes - FOSSA A critical vulnerability has been discovered in Apache Log4J, the popular java open source logging library. Here's what happened and how to fix it.

Our engineering blog tackles dependency management in .NET: the .sln file, the nuget.config file, and more: https://fossa.com/blog/managing-dependencies-net-csproj-packagesconfig/

Managing Dependencies in .NET: .csproj, .packages.config, project.json - FOSSA Get an overview of the artifacts involved in .NET dependency management, how they interact, and how to use them.