Get the most out of your Black Duck Open Source Audit by understanding the report components and next steps you need to take.
Black Duck® Open Source Audit reports provide a tremendous amount of information. We have been performing audits and delivering results to customers for over 15 years, and we continue to seek to provide vital information that is easily accessible and valuable. We recognize that the information only has value if clients understand how to leverage and utilize the information, both as part of and following a merger and acquisition (M&A) transaction, so this blog post provides information on how to read and understand your report.
The open source audit provides several important deliverables.
You have received an email from the Black Duck project manager indicating the audit is complete. You download the reports. What’s next? How best to proceed and disseminate the information?
It is rare these days that an audit engagement consists of only a single application and set of reports. Even in the case of an individual product or application, these are often monolithic applications that consist of multiple, complex parts such as a web front end, a mobile client application, and data processing back-end elements. If the engagement consists of multiple applications, Black Duck recommends starting with the aggregated summary report so that you can quickly determine which of the detailed reports contain findings of interest or which reports indicate little risk, and therefore you can easily focus time and resources on what matters.
The engagement doesn’t end once the reports are delivered. We encourage our customers to schedule a call to discuss the content of the reports and clarify any questions regarding findings of interest. If the audit reports are being distributed across teams or entities, we want to provide insight to best utilize and leverage the findings. We strongly urge the attendance of legal, engineering, and security stakeholders to understand and address any questions resulting from the audit. There are worksheets provided in the reports that are specific to each of these groups. And the reports provide information that will be necessary for the target to address concerns.
Customers engage with us to discover the reuse and potential compliance and security issues surrounding the open source in the target’s software. In 2021, we performed audits for about 500 transactions. Across each of those transactions, we discovered open source 100% of the time, averaging nearly 600 items per application and over 1,700 per transaction. Importantly, 89% of those transactions involved the use of open source software that introduced license compliance risk. Eighty-five percent of transactions audited contained open source software discoveries with known security vulnerabilities.
In the end, having a plan on how best to address potential issues is necessary. In an M&A transaction, this part of the process will involve clearly conveying concerns to the target’s technical team. This may involve sharing a portion or the complete Black Duck report. In the case of open source license compliance issues, we have a short list of questions to explore in discussions of remediation with the target.
Synopsys wants to ensure that our customers understand and derive utility from our open source software audit reports.
Doing so means that we consistently look for feedback, and always want to ensure that any and all questions are addressed. The Black Duck audit team has dozens of specialists who are committed to providing our customers with timely results and expert insight regarding the details of the reports.
Don is a project manager for Black Duck and has been been part of the Synopsys Black Duck Audit Group since 2008. He has worked with hundreds of customers providing open source software training, process consulting, and guidance through the technical due diligence process.