nexB provides services for open source and third-party software component management and license compliance. We have unique expertise in complex embedded devices and large server-based or appliance-based software products.
Our Software Provenance Audit includes the type of code source scanning/matching applied by most companies in our space, but it also includes an expert review of the results. An audit is typically a two to four week process that identifies all the open source and other third-party code included in a product.
The primary benefit of our service is that it is performed by Software Provenance experts and therefore our Reports are concise, focused on real issues and actionable recommendations to remediate issues identified from an audit.
In contrast, a tools-only approach will provide a massive amount of raw data that requires extensive human review, filtering, and processing before it can be transformed into useful information and actions.
Our service is unique because we analyze both Development code and Deployed code (i.e. the product package delivered to a customer, typically in binary format). Analyzing the Deployed code enables us to:
- Refine the license obligations for a product since most OSS license obligations are triggered by distribution to a customer or other third-party,
- Confirm that a Development codebase under audit has the complete set of components used to build the product(s),
- Refine the impact analysis for issues related to copyleft-license components. The Deployed Code analysis is tailored for the languages and build system of a product under audit.
Some of the most common software audit use cases are Acquisition Due Diligence and Product Release.
You want to know the origin and license
obligations for a software product that
you plan to acquire. This may be:
- As simple as confirming that the licensing of a third-party or open source software product complies with your organization standards; or
- As complex as acquiring a whole software company.
You want to ensure that your software, or
hardware with embedded software, product
complies with your licensing rules and
that it will not create risks for your
customers. There is a small, but growing,
trend of customer demand for a certified Bill
of Materials (BOM) for software, similar to familiar
standards in most manufacturing supply chains.
The deliverables from a Software Provenance Audit project are:
- A Bill of Materials file that provides a complete inventory of all the Open Source and Third-Party code in your Development codebase with identification of which Deployed products use each Development codebase component,
- A summary Report with concrete remediation actions that the engineering team can use as a checklist to fix any potential issues found during the audit,
- Optionally, the data needed to assemble Attribution Text and Source Code Redistribution packages to comply with OSS obligations.