2021-11-09 –, Room 4
With hundreds of thousands of open source software (OSS) projects to choose from, OSS is a vital component of almost any codebase. However, with over a thousand unique licenses to comply with, complexity of managing OSS use cannot be overlooked. Identifying and tracking OSS to comply with license requirements adds friction to the development process and can result in product-release delays. At VMware, developers must run a scanner to identify a Bill of Material (BOM) of what OSS is being used. This extra step adds toil and leaves room for error. Some scanners are imprecise, compounding these issues.
We solve this problem using Bazel to create an accurate BOM containing OSS and third-party packages during a build. To do this, we made a Bazel aspect that analyzes the dependency graph and collects information about each package from VMware's internal Artifactory. Additionally, it consumes a list of approved and denied OSS from VMware's legal team. By moving OSS validation to build time, OSS decisions are made earlier in the development and review process, making them less costly.
Our Bazel aspect outputs two files. First, it creates a BOM yaml file, which includes information on each OSS dependency. Second, it creates a BOM-issues file, containing a subset of OSS dependencies that have been denied for use by the legal team or that are still waiting for approval. A Jenkins server uses the BOM to file legal-review tickets for newly-added OSS. Release managers and developers can use the BOM-issues to identify problems, and the existence of issues can fail a build.
We would like to present our work because we hope it will inform the design of general-purpose licensing infrastructure for the Bazel community.
A big fan of Open Source Software and an efficient development lifecycle, Daniel Machlab has dedicated his interests to making OSS license compliance seamless for his fellow VMware developers—and the entire Bazel community. Daniel's passion and appreciation for the Open Source Community dates back to his high school days when used OSS in his first apps. He had no idea that years later he would contribute a solution back to the community to make OSS easier to use.