Open Source Compliance Challenges

The use of open source software components is growing across all industry supply chains. Recent studies show that almost 80% of companies use open source. Some key compliance challenges with open source software are:
  • Tracking acquisition and use of open source software by product,
  • Providing accurate Attribution Notices with each product, and
  • Offering to provide source code for Copyleft-licensed components if required.
If you do not already have an OSS Compliance program in place, an audit of one or more products in your software portfolio can be an excellent starting point. A Product Audit will help you identify:
  • Your license obligations for open source and other third-party software components
  • Potential licensing or other risks associated with your use of open source or third-party software components

Product Audit Overview

The key deliverables from a Product Audit are:

  • Development codebase Software Inventory - this is a comprehensive list of the open source and third-party software components contained in the codebase of binaries and source code that you use to build a product or set of products
  • Software BOM for each Product - this is the subset of Development codebase components that are deployed for a particular release. This is important because a particular product release typically includes only a subset of the Development codebase components and because your specific open source license obligations may depend on how you use a component (dynamic or static linking, stand-alone, modified or not, etc.)
  • Issues List - Documentation of open source license compliance issues and actionable recommendations to remediate the Issues.

Open Source Governance and Compliance Automation

nexB offers two options to get you started quickly with open source compliance automation as part of a Product Audit:
  • We can combine your Product Audit with an evaluation of our DejaCode SaaS product so that you can see how easy it can be to track your open source usage by product. DejaCode can also automatically generate Attribution Notices for each of your products. See DejaCode for more information.
  • We can create AboutCode files from your Software Inventory so that you can track component licenses inside your Development codebase and also generate Attribution Notices from there. AboutCode is an open source project sponsored by nexB. See AboutCode for more information.
nexB offers implementation, training and support services for AboutCode, DejaCode and ScanCode to help you create a robust open source governance and compliance program.

Software provenance answers! Not just code scanning files.

nexB - Open Source Software Audit Experts

For each Product Audit, our deliverables include:

Software BOM

A Software Bill of Materials (BOM) file that provides a complete inventory of all the Open Source code in your Development codebase with identification of which Deployed products use each Development codebase component

Software Audit Report

A summary Software Audit Report with concrete remediation actions that the engineering team can use as a checklist to fix any potential issues found during the audit.

Attribution Notices

Optional - Software Attribution Notice(s) to add to your product UI or documentation as required by most open source software obligations.

Redistribution Package

Optional - Help you create a package of source code for redistribution as required by Copyleft licenses.