Posted by Hassib Khanafer on July 14, 2017
Identifying and managing the different types of free and open source software (FOSS) usage can be a daunting and error-prone task if done manually. But FOSS management systems make it easy for you to track the licenses and vulnerabilities in the FOSS components you use.
In modern software development, the importance of using free and open source software (FOSS) components to build software products and systems isn’t debatable. Using FOSS components for commonly available functionalities such as logging (e.g., Log4j), text search (e.g., Apache Lucene), and secure communication (e.g., OpenSSL) has become an important factor to speed product time to market (TTM). Additionally, developers can reuse these high-quality functionalities to better concentrate on their products’ core functionalities.
Commitment to FOSS by software giants like Microsoft and Google emphasizes the importance of FOSS in developing software. Microsoft has already undertaken key FOSS projects (e.g., Visual Studio Code, TypeScript). With more than 16,000 contributors to open source software, Google also has key open source projects (e.g., its flagship machine learning library: Tensorflow).
Companies need to manage the use of FOSS components from the following aspects:
FOSS management systems that are designed and developed by experts can ensure that these aspects are addressed properly. A comprehensive FOSS management solution helps customers handle the different aspects relating to FOSS component usage.
What are the different aspects relating to FOSS component usage, you ask?
Every company that uses FOSS components should have a FOSS usage policy. The policy should contain rules that govern different aspects of FOSS management, including:
Companies need a reliable way to identify FOSS components that are in use. There are four ways a FOSS component can be used in a company’s codebase:
Identifying and managing these different types of usage can be a daunting and error-prone task if done manually. This is especially true when considering the complexity of modern software systems, and the ease of access to the vast pool of available FOSS components. Reliable FOSS management systems should be well-equipped with functionalities and algorithms to identify and detect FOSS components. This can save a company valuable efforts that can be otherwise used in developing their products.
Different FOSS components are associated with different types of open source licenses. These licenses have different legal obligations, depending on how the FOSS component is used by the company. For example:
As an example, the GNU General Public License (GPL) mandates different obligations if the FOSS is distributed as part of the company’s product, as opposed to its use only internally. Also, customers using FOSS components with different open source licenses should make sure that such licenses are compatible. As an example, distributing products that contain code licensed under Mozilla Public License (MPL) and GPL will violate the terms of the licenses.
FOSS management systems are able to detect different open source licenses in use. They can also help customers identify license obligations based on the way these components are used. Additionally, they can provide input to help the legal team make decisions in terms of whether the use of a certain FOSS component is or isn’t allowed. This is based on the compatibility of license obligations with the company’s policies and business model.
Companies should make sure that their products don’t contain security vulnerabilities that could expose customers to security breaches. Like any other piece of software (open or closed), FOSS components are also vulnerable to security issues. Companies producing software need to be aware of vulnerabilities associated with FOSS components in use. Additionally, they should continuously monitor newly discovered vulnerabilities in these components, or known vulnerabilities that are fixed.
There are multiple platforms that collect and maintain databases of known FOSS components, such as the National Vulnerability Database. FOSS management systems harvest such databases, continuously monitor them, and provide timely information regarding the FOSS component vulnerabilities in their codebases.
Software shops usually have multiple roles that are involved in auditing the usage of FOSS components (i.e., reviewing and approving/disapproving usage). Examples of such roles include:
Auditing can take place two ways:
With both, multiple roles in the company could be responsible for auditing FOSS component usage. These roles include security specialists who check security vulnerabilities that could be relating to the component. It could also include legal staff who check the legal obligations of the component’s license.
FOSS management systems provides workflow engines that simplify the proactive and reactive auditing of FOSS components. A rich and efficient workflow provides and facilitates a smooth audit process. It allows:
A FOSS management solution API allows:
Black Duck Binary Analysis offers a comprehensive, reliable, and rich FOSS management solution that enables enterprises to efficiently manage FOSS component usage. For detecting and identifying FOSS components in codebases, Black Duck Binary Analysis uses a large reference database that currently contains over 4 million FOSS releases. These are also associated with over 700 thousand unique FOSS projects, and growing on a daily basis (with over 1 billion source files).
Major FOSS repositories are monitored on a 24/7 basis for new and popular content (e.g., GitHub, SourceForge, Maven, NuGet). This is so customers don’t miss out on FOSS components when auditing their codebases. Synopsys’ patented source file signature method allows Black Duck Binary Analysis to detect fully or partially used FOSS components. This is in addition to identifying code snippets that are reused from FOSS components.
Using its policy management capabilities, customers can identify their whitelisted and blacklisted licenses and copyrights. Additionally, customers receive alerts for violations of these listed during their codebase analyses. Black Duck Binary Analysis includes a rich restful API that allows a current customer’s codebase to integrate with their build infrastructure. This also enables them to build customized reporting that augments the out-of-the-box reports provided by Black Duck Binary Analysis.
With the ever-growing usage of FOSS components in building software products, software shops find themselves needing to address all aspects relating to this usage. This includes:
Handling these aspects can also consume significant efforts if done manually. FOSS management systems are the natural solution. They can save time and effort, and reduce risks that may accompany such usage.
Get the latest Software Integrity news, thought leadership, and more.