Companies often begin their journey of discovering what OSS is embedded in their products by manually inspecting their code or by asking developers what OSS they’ve used.  This manual method is certainly better than nothing, but it is fraught with errors.  Over time, developers forget what they added.  Developers often move between projects and companies, so your current developers may not know what previous developers added.  The more developers you have that work on your product and contribute source code, the greater your exposure to OSS.  Automated OSS code scanning gives you a daily view of OSS in your products.

Manually conducting an inventory of OSS works initially, but it would be impossible to take a daily inventory!  Your developers are already under very tight deadlines to deliver new functionality.  To add another administrative task would be a tremendous burden.  But not scanning daily can introduce unacceptable licenses or expose you to security vulnerabilities.  Both of which you want to avoid.

So, how do you automate these tasks?  First, let me list the minimum tasks you should automate:

• Scan for OSS in your code (both code snippets and modules).

• Check the OSS discovered against security sites such as NIST (National Institute of Standards and Technology), looking for reported security vulnerabilities.

• Review OSS and its licenses against the inventory already discovered for your product – what new has been added or changed?

• Inform the various stakeholders of the findings – product managers, project managers, information security, development managers, developers…

Luckily there are a number of software solutions that can help automate these tasks (at least most of them).  Here’s my short-list of solutions, presented in alphabetical order:

• Black Duck

• Flexera (acquired Palamida in 2016)

• FOSSology (originally created for internal use by HP and then a contribution to the open source community in 2007)

Black Duck and Flexera are both commercial solutions, while FOSSology is an open source solution.  All three have existed for over 10 years.  Being commercial products, both Black Duck and Flexera offer a full suite of solutions to help you automate your full workflow from OSS license acceptance to code scanning.  This includes license review, component inventorying, intellectual property management, security vulnerability research, and may even help you with export restriction analysis.  FOSSology has a focused set of capabilities surrounding OSS license discovery and code reuse identification.

I often see companies begin to explore the capabilities of FOSSology and then contact both Black Duck and Flexera.  Companies commonly do this because they recognize value in automated scanning and realize the commercial companies have built additional capabilities that the OSS community hasn’t yet created in FOSSology.

In my book, Open Source Software: Implementing a Successful OSS Management Practice, I describe the practice of analyzing alternatives and creating a short list of candidates.  The decision of which product to use is ultimately a personal decision based on your needs.  All three of these products help you automate your source code scanning and reporting.  If you would like assistance with solution selection, vendor negotiation, or jump starting your OSS introduction process, SilverStream Consulting is here to help you use OSS responsibly.

What method do you use to scan for OSS?  Comment below!

—Jeff Brown, SilverStream Consulting