Full identification of third-party code
The use of downloaded open source code fragments is considered a viable resource by developers all over the world. Third-party code reuse saves development time and resources, allowing new application capabilities to be implemented quickly, efficiently, and at scale. Analysts such as Gartner note that open source components compose up to 90% of some applications.
As with many companies whose services include design and development of software for customers, Dextra Tech’s applications often use a mix of custom-built code, commercial software, and open source components. To have a third-party doublecheck of the code it was delivering to customers, Dextra wanted to validate their inventory of the open source components they had in use (also known as a “bill of materials,” or BOM).
“In addition to our existing processes and toolchain, which include checklists, tools, and engineering practices for usage of third-party open source code, we required a solution that goes beyond the typical checks for open source identification,” says Leonardo Leiva, delivery manager of digital transformation at Dextra Tech.
License identification is an important part of open source management to assure compliance with any obligations, restrictions, or conflicts associated with a specific component. Equally important is the capability to identify versions and patch status of third-party components for potential security and quality risks.
To get the best of both worlds and identify any license, security, or code quality issues that could affect their software assets, Dextra Tech turned to Synopsys’ Black Duck Audits.
“Black Duck was the logical choice,” says Leonardo Leiva. “We knew that Black Duck was being used by our customers, and that Black Duck Audits are a known market leader.”