The use of open source software components is growing across all industry supply chains. Recent studies show that almost 80% of companies use open source. Some key compliance challenges with open source software are:

• Tracking acquisition and use of open source software by product,
• Providing accurate Attribution Notices with each product, and
• Offering to provide source code for Copyleft-licensed components if required.

If you do not already have an OSS Compliance program in place, an audit of one or more products in your software portfolio can be an excellent starting point. A Product Audit will help you identify:

• Your license obligations for open source and other third-party software components
• Potential licensing or other risks associated with your use of open source or third-party software components

The key deliverables from a Product Audit are:

• Development codebase Software Inventory - this is a comprehensive list of the open source and third-party software components contained in the codebase of binaries and source code that you use to build a product or set of products
• Software BOM for each Product - this is the subset of Development codebase components that are deployed for a particular release. This is important because a particular product release typically includes only a subset of the Development codebase components and because your specific open source license obligations may depend on how you use a component (dynamic or static linking, stand-alone, modified or not, etc.)
• Issues List - Documentation of open source license compliance issues and actionable recommendations to remediate the Issues.

Open Source Governance and Compliance Automation

nexB offers two options to get you started quickly with open source compliance automation as part of a Product Audit:

• We can combine your Product Audit with an evaluation of our DejaCode SaaS product so that you can see how easy it can be to track your open source usage by product. DejaCode can also automatically generate Attribution Notices for each of your products. See DejaCode for more information.
• We can create AboutCode files from your Software Inventory so that you can track component licenses inside your Development codebase and also generate Attribution Notices from there. AboutCode is an open source project sponsored by nexB. See AboutCode for more information.

nexB offers implementation, training and support services for AboutCode, DejaCode and ScanCode to help you create a robust open source governance and compliance program.