The 2020 State of the Software Supply Chain Report is available!

Study Shows High-Performance Dev Teams Fix OSS Vulns 26x Faster | Press Release

blog-logo Sonatype Blog

Legal at DevOps Speed

April 07, 2015 By Derek Weeks

Our general counsel, Paul Bosco, is a super nice guy. Among his many responsibilities, he helps Sonatype make the right decisions about appropriate license use of open source components within our software. But you would think that having a lawyer hang over the shoulders of a developer would get a little uncomfortable.

Paul is not part of our development team, he doesn’t want to be, and he certainly does not slow them down. But with that said, Paul knows how to work at DevOps speed.

He knows legal reviews need to happen at the speed of development on every component, every build, and every release.

So how much time does Paul spend reviewing open source and third-party software components in the software we are building? Almost none. Yup. That is because we have automated him.

It's all about dogfooding. At Sonatype, we have automated our open source policies. Paul’s guidance on the proper use of every component license we use is built into Sonatype CLM. CLM is then integrated with our developer IDEs and our Bamboo CI platform. With CLM performing the adjudication, Paul is free to focus on other more pressing matters. At the same time, our developers have instant access to the legal analysis run by CLM. Therefore, no time is wasted on legal reviews at the end of the development lifecycle.

ide.png

Sonatype CLM’s IDE integration provides rapid, data-based feedback on versions, licenses, and known security vulnerabilities

Reviews are built-in, automated, instant and continuous. CLM is not just discovering problems with open source and third-party licenses. If issues are discovered, it also guides our developers to alternative component versions that may meet acceptance criteria. By selecting the best components from the start, we eliminate long legal reviews and rework that negatively impact our release velocity and add to operational costs. With CLM in place, Paul can keep up with our development team at any pace they choose to run.

 

Tags: Sonatype Nexus, legal, Software Supply Chain, open source governance, open source policy, gpl, Open Source, Continuous Delivery, Application Security, policy automation, license risks, Devops

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.