It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? […]
If you have reviewed any Black Duck On-Demand audit reports recently, you may have noticed improvements in the legal tab and the way we report on findings. The new report format has received some very positive reviews, the theme being that it makes reported results more actionable.
When the private equity industry was in its infancy in the 1980s, the tech sector was barely on its radar. Tech is now attracting all types of private equity firms, with the sector representing over 40 percent of US buyouts last year, a trend reflecting the global M&A market, in which tech is also the most […]
Best practices for a growing amount of firms involved in a merger/acquisition transaction (commonly known as an “M&A”) include a code audit whenever software is a significant part of the deal. And more and more firms are realizing that an open source code audit should be part of their overall tech due diligence process.
In the wake of selling Black Duck to Synopsys, it’s really interesting work through all facets of integration. An energizing journey it is to learn a new company, something I have not experienced in nearly a decade. Soon after we announced, I explained to my dad some of my experiences interacting with the organization, and […]
There have been interesting developments on the GPL enforcement front of late. Earlier this year, a court in the Northern District of California (in the case of Artifex Software, Inc. v. Hancom, Inc., which was recently settled out of court) found that breach of the GPL license was also a breach of contract. Later, in […]
The cries for revolt rang loudly within the open source community, as discussed in my prior post on this subject, and there is apparently insufficient soundproofing at Facebook headquarters to shield its denizens from the cacophony. Facebook has announced that it will release its popular open source React, Jest, Flow and Immutable.js projects under the […]
The Equifax disaster underscores the importance of vigilance even after completing open source audits, particularly with respect to security vulnerabilities. Much has been written about the recent breach. Here’s a good overview. In a nutshell, germane to this discussion, the exploited vulnerability was in a popular open source component, Apache Struts, that was made public […]
Although the so-called Facebook BSD+Patents license has been in the wild for nearly three years, it recently became the subject of much commotion because the Apache Software Foundation tagged it as a Category X license, the group of licenses explicitly barred from inclusion in Apache projects. Apache’s decision affects only Apache projects, but the rationale […]
The AGPL (Affero General Public License) has continued to gain in popularity and is showing up frequently in modern code bases. My blog Are SaaS Companies Immune to Open Source Risk? mentioned a key concern for SaaS or Cloud companies, a class of open source licenses that includes the Affero GPL designed to plug the SaaS loophole. […]