There are a lot of automated tools available for performing software composition analysis on a codebase. When Synopsys performs an audit for M&A transactions, we use a range of tools that do a forensic dive into the codebase, and then human auditors confirm or exclude and supplement those findings. We are the industry standard for creating an open source software Bill of Materials (SBOM), and we also identify components in a codebase from third-party commercial vendors.
We find code from commercial vendors by manually inspecting the results of a forensic scan of the codebase. Some commercial and proprietary components can be identified via our extensive KnowledgeBase™, but the majority of these identifications are made when auditors perform deeper analysis of the code.
The sophisticated string searches we employ include about 200 targeted search patterns of various types that aid in this analysis. We also look at metadata in various binary file formats. These techniques uncover open source components that automation may overlook, and they also uncover company copyrights and end user license agreements (EULAs) in files.
Once these indications of commercial software are found, the auditor researches what company may have supplied this code. The resulting report sorts the information into categories for easy consumption. The report includes a “needs research” category that includes components with customized and nonstandard licenses. This shines a light on licenses that need review and helps legal teams understand what kind of remediation work will be required.
Dual-licensed items are a category of components that falls between open source and commercial code. These components are offered under a reciprocal or a commercial license, and that can have interesting implications. We will dedicate a future blog to this classification of component, but in short, the acquisition target either needs to have a commercial license or must comply with a noncommercial open source license.