open source software governance with dejacode
TRANSCRIPT
Copyright © nexB Inc.
Open Source Software Governance
with DejaCode November 2015
Copyright © nexB Inc.
AgendaAbout nexB Inc. Software Component Data Management nexB’s Offering Additional Materials
• DejaCode • AboutCode • ScanCode
Glossary/Acronyms
Copyright © nexB Inc.
About nexB Inc.Our business is software component management
• Current focus on open source governance and compliance • Primary product is an enterprise system for tracking all software
components in your products, • Plus practical open source solutions for integrating software
engineering systems with enterprise systems We offer
• DejaCode™- Open Data Platform for Managing Open Source • Open Source Software Audit Services • Open Source Scanning & Attribution Generation Tools
We are • Software provenance analysis experts • Active open source developers & Linux Foundation member
Copyright © nexB Inc.
Software Component Data Management
Businesses are software producers and consumers
Copyright © nexB Inc.
Software Component Data Management
Organizing and sharing software component data is becoming a bigger problem than acquiring it. nexB created a suite of open source and commercial tools to address this problem
• DejaCode – Enterprise system of Records • AboutCode – Open Source Attribution Generation Tool • ScanCode – Open Source Code Scanner
Copyright © nexB Inc.
Our offeringProduct name
Purpose Scanning tool to detect third-party software components in your codebase.
Organize and share product inventories. Manage OSS compliance.
Recording software provenance data in your codebase (Attribution notices).
Primary users Developers and other technical staff.
Product Release Manager. OSRB members. Legal advisors.
Developers and other technical staff.
Main Benefits Easily detect open source and third-party code in your product. Embed in any Continuous integration process flow.
Manage software component and license information. Publish and apply policies for license and component usage. Generate Attribution and Redistribution documentation for open source components.
Generate Attribution and Redistribution documentation for open source components
Interface Command line tool with interactive HTML reports or JSON.
Easy to use GUI. Command line tool with customizable templates for Attribution.
Installation Automated installation. SaaS: No installation. On-premises: Simple, scripted and documented Linux server install.
Automated installation.
Cost Apache 2.0 license with specific attribution notice. Commercial support available.
Annual subscription including support and data updates. http://www.dejacode.com/pricing.html.
Apache 2.0 license. Commercial support available.
Copyright © nexB Inc.
Product Portfolio
Component Catalog License Library
Copyright © nexB Inc.
TrialDelivered as a Service with your “private” database • http://www.dejacode.com/ • Pricing: Four subscription options starting at $500/month
http://www.dejacode.com/pricing.html • 30 Day enterprise trial - http://www.dejacode.com/trial.html
On-premises option Personal edition to view DejaCode component and license data • https://enterprise.dejacode.com/ • No registration required
Contact • Pierre Lapointe, Customer Care Manager • [email protected] / +1 (415) 287-7643
Copyright © nexB Inc.
Demo time
Copyright © nexB Inc.
Additional Materials
Copyright © nexB Inc.
• License and copyright scanner • Command line tool with interactive HTML reports or JSON. • Available on GitHub at: https://github.com/nexB/scancode-toolkit/ • Commercial Support available
Copyright © nexB Inc.
Roadmap available at https://github.com/nexB/scancode-toolkit/wiki/Roadmap
• Migrating features from proprietary scanning tools to ScanCode incrementally over the year (2015)
Major new features include • Packaged code and dependencies support • Component-level matching against an external Repository • NVD Database lookup for vulnerabilities cross check
Features Roadmap
Copyright © nexB Inc.
nexB created the AboutCode tools to automate OSS compliance • Based on ABOUT specification v1.0 • An ABOUT file documents the origin and license for each
component, usually at the library or directory level • An ABOUT file = text file with file extension “.ABOUT” • Applicable to any programming language and software development
environment • Extensible for build system integration for advanced automation • Currently offered as command line tools
Written in Python and licensed under Apache 2.0 Public Website at http://www.aboutcode.org/ Code available at https://github.com/dejacode/about-code-tool/
Copyright © nexB Inc.
Compliance Lifecycle
Copyright © nexB Inc.
Open Source Software Audit Services
Concrete Recommendations Confidentiality
nexB Expertise Balanced Approach
Copyright © nexB Inc.
Glossary / AcronymsSoftware Provenance
• Provenance = Place of source or origin, history of ownership • You need to know the origin/author of a component (e.g. Apache
Foundation) in order to know the license • and how you may have acquired a copy – from a forge or
website or a supplier or ? FOSS: Free and Open Source Software
• Includes free, but not open source, components like Oracle/Sun Java libraries under the Binary Code License
SPDX: Software Package Data Exchange • http://spdx.org/ • Emerging standard for exchanging software license data
NVD: National Vulnerability Database • https://nvd.nist.gov/ • Repository of standards based vulnerability management data