The Enterprise Open Source Blog

Source Code Scanning for OSS Dependencies and Why

Posted by Jesse Hood on May 11th, 2012 in Open Source Trends, Scanning & Provisioning

Open source application audits using source code scanning tools are a critical part of a corporate open source software policy management and governance process; there literally is no way around it these days. Without the use of a scanning tool, organizations may rely on homegrown tools, manual inspection and inventory of source code repositories, and developer interviews to implement the governance process. In our experience, even with full disclosure of open source usage from very honest and open development teams, things slip through the cracks. And, lets face it, manual inspection of source code is painfully slow. Homegrown tools might be a realistic approach for larger companies, but they require the allocation of internal resources, not only to use the tools but also to also maintain and update them regularly.

Most open source auditing engagements are completed in the context of scanning a code base of a product line to confirm that a company has appropriately separated their intellectual property from the third party components. When third party components are used and distributed all licenses for these components need to be identified and there needs to be confirmation that appropriate license compliance steps have been taken. OpenLogic’s Application Audit and Certification of Compliance services are one solution to consider when outsourcing to a team of experts as these are a full report of all materials, licenses, and a re-verification of compliance steps being completed.

Why You Should be Using SPDX for Open Source License Compliance

Posted by Peter Williams on April 25th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

The Software Package Data Exchange (SPDX) standard is getting some love lately and this is good news for open source license compliance. Which is, in turn, good for open source in general. If you are involved in software license compliance activities you need to include SPDX in your plans for the future. It will allow you to manage the risks of software licensing in a more efficient and predictable way than ever before.

SPDX defines a standard way to represent the contents and licensing of software packages. This standard representation provides a shared vocabulary for tools involved in managing license compliance. The SPDX standard is being developed under the auspices of The Linux Foundation as a way to ease complying with the licenses of open source software. The model provided by SPDX is fully compatible with proprietary software licensing also. This means that SPDX provides a uniform way to represent the licensing of any software package. Being able to treat both open source and commercial software the same way allows license compliance processes and tools to be simplified and streamlined.

Open Source Software Management: A Recap of the Top Articles

Posted by Aaron Mandelbaum on April 16th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning, Support, The Cloud

Pin It  Open Source Management: Dealing with New OSS Releases The first quarter of this year has be a busy time in open source management. JBoss has had two releases in the 7.1 series, the Apache web server has had two releases in the 2.4 series and Ruby on Rails has had two releases in [...]

Creating an Open Source Compliance Checklist

Posted by Dave McLoughlin on April 13th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

In a recent blog article Using Categorization to Simplify Open Source License Compliance I talked about simplifying open source compliance through license “categorization” where I listed the common categories used in many open source licenses. In this article I’m going to talk about creating an open source compliance checklist based on those categorizations.

In OpenLogic Exchange (OLEX) Enterprise Edition we have analyzed several hundred open source licenses and created a list of high-level obligations for each license. For example, in OLEX the Apache License 2.0 list of obligations looks like this:

• Distribute copy of license
• Give notice of or fulfill other requirements related to modified files
• Obligation to include notice text or files
• Obligation to include copyright or trademark notice
• Obligation to indemnify contributors
• Obligation to apply license to original or derivative works
• Restrictions regarding use of trademark
• Termination of patent license upon filing of patent litigation

Open Source Software Management: A Review of Wazi Articles

Posted by Aaron Mandelbaum on April 11th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning, Support, The Cloud

Open Source Software Management: A Review of Wazi Articles
The 5 most recent articles published on http://olex.openlogic.com/wazi/

Upcoming Webinar: Using SPDX to Streamline Open Source Compliance

Posted by Aaron Mandelbaum on April 2nd, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

The SPDX (Software Package Data Exchange) standard is designed to help companies streamline their open source compliance efforts by sharing information about open source licenses that are used in software packages.

Building the Business Case for Open Source Code Scanning

Posted by Jesse Hood on March 30th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

I often talk to people who are having a hard time developing the business case for purchasing and implementing a source code scanning tool or purchasing an application audit service. I respond by describing that a legitimate and successful business case in 2012 needs to include the following:

At minimum, a general understanding of the basics of open source software
Both the want and need to find and implement a solution
The organizational drivers and resources to develop a solution to a problem or to enhance and compliment an existing system that lacks efficiency or accuracy
Cross-functional approvals and resources from multiple departments
Accurate and balanced vendor evaluation and selection criteria

Hopefully some of the ideas in this article will resonate to help all of you continue building the business case as you consider how or when to start a scanning and license compliance initiative.

The SPDX License List: the gateway drug to full SPDX adoption?

Posted by Jilayne Lovejoy on March 23rd, 2012 in Legal & Compliance, Scanning & Provisioning

The SPDX License List is just one part of a larger effort to make reporting open source software licensing information more efficient and thus ease license compliance. As an active member of the SPDX legal work group, it began as a simple matter of raising my hand that I took on the task of ‘keeper of the list.’ Or so it seemed.

When I began working at OpenLogic, my first task was to read all the most commonly used open source licenses, analyze the license requirements, and help create the framework which would become the OLEX Open Source License Compliance module to our scanner. This necessarily brought up some tangential questions. Do we have this license already in our database and, if so, is it truly the same license? At what point does it become a different license? What is considered part of the license text and what isn’t? What should the license be called? How should the formatting look when the license is displayed on the page? Later, my role would evolve to include using our product to perform open source audit services for our customers. There is nothing like drinking your own Kool-Aid to encourage improvements at the macro and microscopic level.

Open Source Management: Guidelines for Setting your OSS Scan Objectives

Posted by Dave McLoughlin on March 21st, 2012 in Governance, Open Source Management, Scanning & Provisioning

When scanning your software for open source software, it is important to set and understand your objectives. Your objectives may effect how you approach the task of finding the various open source software components and licenses, what the final reports will look like, and what you ultimately do with the information.

In this article I will provide a few guidelines and some examples that you can use to help determine your scanning objectives.

First, consider what you already know about the code base you are planning to scan. Have you been diligent in tracking the use of open source software in your codebase? If you have a robust tracking system resulting in a comprehensive list of OSS, then your objectives may focus on verifying that list. If your list of OSS is more ad hoc and based on “memory” or partial lists of libraries used, or you have not been tracking OSS at all, then your objectives may be about creating a comprehensive list of all components.

Second, consider what information you hope to obtain from your scanning efforts. Here’s where it can get tricky, especially if you are new to OSS scanning. For most organizations, scanning is about compliance. Developing a comprehensive list of OSS components and their associated licenses to reduce overall liability and also to ensure compliance with the various open source licenses. However, there may be specific types of information that is of particular interest to you or your organization, which will shape your search and your report.

Open Source Management: Take the Open Source Maturity Quiz

Posted by Kim Weins on March 16th, 2012 in Governance, Legal & Compliance, Open Source Trends, Scanning & Provisioning, Support, The Cloud

Open source management is increasingly becoming an important point of discussion as today’s companies are using open source software more widely in their IT infrastructure. So much so that Gartner expects open source to make up 30% of enterprise IT portfolios in 2012.

Open source software can provide both cost and innovation benefits, but in order to user OSS successfully, companies must have an open source management capability. OpenLogic defines four stages of Open Source Maturity that measure your company’s open source management capability.

The four stages are: Prevent, Manage, Promote and Transform: