A major European car manufacturer contracted Magneti Marelli to develop an invehicle infotainment (IVI) system based on the GENIVI Alliance open source platform. The agreement for the project stipulated strict compliance with GENIVI rules and free and open source software license requirements. The manufacturer would not accept product delivery without clear proof of compliance.
Work on the system, underway for more than two years, had resulted in the accumulation of 7-8 million lines of code. The vast majority of the code had been developed by Magneti Marelli and by external suppliers; the remainder, by the customer. The entire volume of code had to be reviewed for open source license compliance, a daunting task prone to human error when handled manually. While some external suppliers had provided a proper bill of materials for their components, the majority had not. It was impossible to furnish any proof of compliance, even for in-house developed code. Magneti Marelli suspected that thousands of different open source snippets were buried somewhere in the codebase, but had no easy means of identifying them or detecting their provenance and license obligations.
To address the challenge, at the recommendation of GENIVI, the methodology team at Magneti Marelli began looking for an appropriate software tool to automate code analysis and handle compliance issues.
“We looked at several such tools,” says Rubens Sarracino, the systems architect responsible for open source compliance at Magneti Marelli. “It was quickly established that Black Duck, as recommended by GENIVI, was indeed the best solution for the job, especially since Black Duck is the only offering which really checks every line of code against its vast database of open source components.”
Black Duck matches source code of any type against the industry’s most comprehensive knowledge base of open source software information, including license type and the exact version of the license under which the code was originally published. This capability enables quick discovery of license violations and unapproved components in a project’s codebase.