The use of open source software components is growing across all industry supply chains. Recent studies show that almost 80% of companies use open source. Some key compliance challenges with open source software are:
Tracking acquisition and use of open source software by product,
Providing accurate Attribution Notices with each product, and
Offering to provide source code for Copyleft-licensed components if required.
If you do not already have an OSS Compliance program in place, an audit of one or more products in your software portfolio can be an excellent starting point. A Product Audit will help you identify:
Your license obligations for open source and other third-party software components
Potential licensing or other risks associated with your use of open source or third-party software components
Product Audit Overview
The key deliverables from a Product Audit are:
Development codebase Software Inventory - this is a comprehensive list of the open source and third-party software components contained in the codebase of binaries and source code that you use to build a product or set of products
Software BOM for each Product - this is the subset of Development codebase components that are deployed for a particular release. This is important because a particular product release typically includes only a subset of the Development codebase components and because your specific open source license obligations may depend on how you use a component (dynamic or static linking, stand-alone, modified or not, etc.)
Issues List - Documentation of open source license compliance issues and actionable recommendations to remediate the Issues.
Open Source Governance and Compliance Automation
nexB offers two options to get you started quickly with open source compliance automation as part of a Product Audit:
We can combine your Product Audit with an evaluation of our DejaCode SaaS product so that you can see how easy it can be to track your open source usage by product. DejaCode can also automatically generate Attribution Notices for each of your products. See DejaCode for more information.
We can create AboutCode files from your Software Inventory so that you can track component licenses inside your Development codebase and also generate Attribution Notices from there. AboutCode is an open source project sponsored by nexB. See AboutCode for more information.
nexB offers implementation, training and support services for AboutCode, DejaCode and ScanCode to help you create a robust open source governance and compliance program.
Software provenance answers! Not just code scanning files.
For each Product Audit, our deliverables include:
A Software Bill of Materials (BOM) file that provides a complete inventory of all the Open Source code in your Development codebase with identification of which Deployed products use each Development codebase component
Software Audit Report
A summary Software Audit Report with concrete remediation actions that the engineering team can use as a checklist to fix any potential issues found during the audit.
Optional - Software Attribution Notice(s) to add to your product UI or documentation as required by most open source software obligations.
Optional - Help you create a package of source code for redistribution as required by Copyleft licenses.