Even employing both these techniques, some open source will fall through the cracks. Another method to add to help ensure completeness of the open source inventory is sophisticated string searching. It operates on source code, analyzing some predefined search terms and logic. Human auditors look at the files flagged by this process and identify potential matches to the open source packages where they were taken.
And it’s not just open source code that this process uncovers. There are almost 2,800 documented open source licenses, and our auditors are uncovering new, nonstandard licenses all of the time (as well as third-party commercial code licenses). Sometimes they are well-known licenses that have had their language modified, which impacts the requirements and obligations of the license. Others are completely new licenses created by the copyright holder. Frequently, they are even just one- or two-line statements that tell you it’s ok to use or not use the code in a commercial product. All these scenarios are covered by trained auditors that find these items in audits.