How We Automated our Lawyer For DevOps

BY DEREK E. WEEKS

Our general counsel, Paul Bosco, is a super nice guy. Among his many responsibilities, he helps Sonatype make the right decisions about appropriate license use of open source components within our software. Paul played a key role in defining our open source governance policy. And like any lawyer you’ve ever met, he is a stickler about compliance to the policy.

But who wants a lawyer hanging over the shoulder of every developer? That would get a little uncomfortable.

We Automated Paul

Paul is not part of our development team, he doesn’t want to be, and he certainly does not slow them down. That said, Paul knows how to work at DevOps speed.

He reviews open source licenses for compliance to our policy at the speed of development on every component, every build, and every release. If we download 100,000 open source components in a year (not uncommon for most development teams), Paul ensures that every single one of them is checked for compliance to our open source governance policy.

So how much time does Paul spend reviewing open source and third-party software components in the software we are building? Almost none. Yup. That is because we have automated him.

Dogfooding

It’s all about dogfooding. At Sonatype, we have automated our open source policies. Paul’s guidance on the proper use of every component license we use is built into Sonatype’s Nexus Lifecycle. Nexus Lifecycle is integrated with our developer IDEs (in this case Eclipse) and our CI platform (in this case Bamboo). With Nexus Lifecycle performing the analysis and adjudication, Paul is free to focus on other more pressing matters.

At the same time, our developers have instant access to the legal analysis run by Nexus Lifecycle. Therefore, no time is wasted on prolonged legal reviews at the end of the development lifecycle.

Nexus Lifecycle’s IDE integration provides rapid, data-based feedback on compliance to open source policies covering licenses, versions, and known security vulnerabilities

Compliance works at DevOps velocity. Because we automated his reviews and decision criteria, Paul is never outpaced.

Automating Discovery and Remediation

Reviews are built-in, automated, instant and continuous. Nexus Lifecycle is not just discovering problems with open source and third-party licenses. If issues are discovered, it also guides our developers to alternative component versions that may meet acceptance criteria. This way, development never grinds to a halt in order to wait for Paul’s okay.

By selecting the best components from the start, we eliminate long legal reviews and rework that negatively impact our release velocity and add to operational costs. Paul is happy. Our developers are happy too.

Want to achieve compliance at velocity? Who in your organization should be automated?