managing software inventories & automating open source software compliance

Managing Software Inventories & Automating Open Source

Software Compliance

Managing Software Inventories & Automating OSS Compliance

Agenda• Introduction• Identify Most Common Open Source License Requirements• Discuss Key Compliance Challenges Today• Outline Approach For Automating Compliance With Attribution

And Redistribution Requirements • Demo: Automating Attribution Generation with AboutCode and

DejaCode • Q&A


Most Common OSS License Obligations• Copyright notices• License notices• Attribution obligations• “Copyleft” obligations (licensing of derivative works)

– Source code delivery– Build and installation instruction delivery (GPL)

• Notice of changes• Indemnities• Non-use of trademarks


Attribution Obligations• Copyright, license, modification, and attribution

requirements• Delivery of source code may be the easiest way to

comply in some cases because notices are “baked in” to distribution package– Very common approach for Linux Kernel

• Binary delivery requires creation of notice files• Notices must be in the product delivery, for most

licenses• Posting on a website is usually not sufficient• Relying on third party notices is usually not sufficient


Source Code Redistribution Obligations• For GPL, LGPL, and other copyleft licenses• Source materials must be made available, but not

necessarily delivered with product• Not necessary to post source materials on the web, but

this is often a good practice• For GPL and LGPL you must enable recipient to compile

the code


Licensing Obligations• Need to carve out copyleft and some other OSS

licensing requirements from EULAs• GPL, LGPL and other licenses cannot be changed to

other terms• Copyleft Limited licenses like EPL, MPL allow bifurcated

licensing of source and binaries


Key Compliance Automation Challenges• Identifying open source in use and how used

– Software Inventory of components in Development environments

• Tracking open source redistributed by product release– Software Bill of Materials (BOM) of components distributed or deployed

• Creating Attribution Notices by product release– Including offer to redistribute source code

• And doing this while the amount of open source used increases exponentially– See GitHub……

– Proportion of open source in commercial software solutions is higher than 50% and growing


• Most companies have software component data in many formats in many places without approval process for third-party codeo Components in Version Control systems and Reposo Reports from internal and/or external software auditso FOSS disclosures from supplierso Contracts for proprietary components

Page Content Copyright 2010 by Linux Foundation


OSS Compliance Trends• More customers are requiring suppliers to share the

OSS compliance burden and provide compliance artifacts for their products– Software Bill of Materials (BOM)– SPDX Documents– Attribution Notices– Source Code Redistribution Packages as needed

• Focus is shifting from “scanning” to managing the growing amount of software provenance data from internal and external sources

9


OSS Compliance Trends• How do I manage OSS information from internal and

external sources?– Where to store the data?– How to validate the data with minimal rework?– How to update the data as the software changes?

• Most companies will need a layered solution– Specific tools at the engineering group level that are best

suited for the technologies, languages and development systems

– An enterprise system to pull data together across products and development systems


AboutCode and DejaCodenexB offers two OSS Compliance solutions:•AboutCode for engineering/product teams

– Basic system that can be adapted for any technology platform or language

– Can be integrated into build systems– Open source license – Apache 2.0

•Dejacode for the enterprise– Enterprise application designed for use by legal, engineering

and business staff across all products and technologies– Import data from any engineering-level system and from

external sources (system of record for product releases)– Subscription for SaaS (or on-premises)

11


AboutCode• nexB created the AboutCode tools to automate OSS compliance

• Based on ABOUT specification v1.0• An ABOUT file documents the origin and license for each

component, usually at the library or directory level• An ABOUT file = text file with file extension “.about”• Applicable to any programming language and software

development environment• Extensible for build system integration for advanced automation• Currently offered as command line tools

• Tools are written in Python and licensed under Apache 2.0• Code and specification available at

https://github.com/dejacode/about-code-tool


ABOUT File Example

A text file in tag / value format:httpd-2.4.3.tar.gz.aboutname: Apache HTTP Serverhome_url: http://httpd.apache.orgdownload_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gzversion: 2.4.3date: 2012-08-21license: apache-2.0license_file: httpd-2.4.3.tar.gz/LICENSEcopyright: Copyright 2012 The Apache Software Foundation.notice_file: httpd-2.4.3.tar.gz/NOTICE


AboutCode tools• Create ABOUT files inside a codebase from a Software

BOM or Inventory file (spreadsheet or other)• Create a Software BOM or Inventory file (spreadsheet

or other) from ABOUT files in the codebase• Generate an Attribution Notices file

• Text file organized by copyright/license notice and component

• Default text or HTML format• Generate a Source Code Redistribution package list


AboutCode Compliance Lifecycle


AboutCode Demonstration• Example based on e2fspgprogs project

– Package included in most Linux distributions

– Set of utilities under different licenses

• Software Inventory file to create ABOUT files• ABOUT files as created• Generated Attribution Notice

16


DejaCodeEnterprise system for business, engineering and legal use•Apply policies to licenses (and components)•Use public component data from nexB and/or add private data about supplier-provided or own components•Import or create a Product BOM for each product release•Generate Attribution Notices and other compliance documents

See also https://enterprise.dejacode.com/landing/

17

https://enterprise.dejacode.com/landing/

https://enterprise.dejacode.com/landing/


Product Portfolio

Component Catalog License Library


DejaCode Demonstration• Product Portfolio• Attribution Notice generation• Component Catalog• License Library

19


Questions


About Fenwick & West• 40 years working closely with technology and life sciences

companies that are changing the world through innovation, and the venture capital and investment banking firms that are financing them.

• One of the first technology law firms in the world. Now one of the 150 largest law firms in the U.S.

• More than 350 attorneys focused on representing technology and life sciences companies in all facets of their legal needs

• Nationally ranked practices in initial public offerings, complex financial and commercial transactions, intellectual property protection and licensing, mergers and acquisitions, domestic and international tax planning and tax controversies

21


About nexB Inc.• nexB offers:– DejaCode Enterprise – a central business system for

managing software components – Software analysis/audit services for products and for

acquisitions– Open source tools for OSS management – AboutCode and

ScanCode coming soon..

• 300+ software audit projects completed to-date– Aggregated audited codebases > 3 billion lines of source

code– Aggregated value of the acquisitions transactions > $5B

• See DejaCode Enterprise at www.dejacode.com


Contacts• Fenwick & West

Stephen Gillespie

[email protected]

+1 415.875.2421

• nexB Inc.Michael Herzog

[email protected]

+1 650 380 0680


Glossary• Software Provenance: Owner, origin and license for a

software component• FOSS: Free and Open Source Software (aka FLOSS)– Includes free, but not open source, components like Oracle

Java libraries under their Binary Code License

• SPDX: Software Package Data Exchange • http://spdx.org/ • Emerging standard for exchanging software license data• Sponsored by Linux Foundation

http://spdx.org/

http://spdx.org/

http://spdx.org/


Advanced Automation with AboutCode Enhance your build system and tools to:• Recognize ABOUT files

• Assemble ABOUT files during a build for the sub-set of components included in an end-product (Deployed)

• Collect Attribution data for Deployed components and create Attribution Notices file

• Insert Attribution Notices into GUI (Help / About)

• Collect source code for the components that require Redistribution (including dependencies)

• Create an archive file of the Source Code Redistribution package

managing software inventories & automating open source software compliance

Technology

oss compliance burden

oss licensing requirements

software component data

commercial software

oss compliancemost companies

bifurcated licensing

compliance artifacts

product delivery