Open Source licenses require management and not just tracking.
xGPL license is the 3rd most popular license in use. Alerting or blocking all xGPL licenses will be hard to manage and very costly to avoid/replace.
The best way is to implement an Open Source management program based on 4 main pillars: Written open source policy, open source use process, SCA tool (not necessarily a commercial one), and Training.
The policy should define the licenses approved for use based on the actual use case (internal/saas/distribute)
The process should clear the actions for open source selection, use, modification, update, etc
The tool should allow visibility of all open source components in all stages (plan, dev, production, etc) with alerts on policy violations.
The training should cover policy, process, and tool usability - it is mainly for the developers.
The management program needs to be operated by an open source program officer which will be supported by legal, information security & software architects.
When a company doesn’t have the relevant competencies to manage open source internally they need to have on their side a trusted experienced advisor who knows how to do it effectively.
There are best practice standards for open source management like ISO5230 and its security assurance extension.
Search for a product comparison in Software Composition Analysis (SCA)
We have used the following tools and they work well in giving a detailed licensing posture for open-source libraries - WhiteSource/Mend and CAST HL. Both of them give what licenses are in use and whether they are risky or ok to use.
For example, GPU license is always risky and it flags its usage in RED.
Recent example around this:
"Vocal deepfake generator Voice AI Inc is accused of stealing GPL and LGPL code—by using it in violation of the licenses. Notably, the company doesn’t make available the source code of its product, as required by the GPL.
Voice.ai has been found to have violated the terms of the GPLv3 and LGPLv2.1 licenses in its software. In short, they’ve been packaging the open-source libraries that enable the software without adhering to their [license] terms.
The company had integrated code from Praat, a widely-used open-source speech analysis software, and libgcrypt, a cryptographic library, in its proprietary software without releasing the source code of its software or providing proper attribution."
The best way to track free and open source software (FOSS) license compatibility is with a software license compatibility tool or a software composition analysis tool. It may depend on your budget and the size of your dev environment.
Another option is a license compatibility matrix. These solutions give you a view of FOSS compatibility with each other and help you figure out the various software components, that are under different licenses, that you can use together in a project. Possibilities include SPDX license list, Tidelift license finder, and FOSSology.
When you say centralized view, do you mean different testing categories which should be looked at for matured software development? If yes, sharing my views on important ones.
1. Functional Testing (either using open source frameworks like playwright, cypress, and selenium or using a platform approach like Katalon, Tricentis, SmartBear).
2) Performance and Load Testing
3) Chaos Engineering
4) Security Testing which includes SCA, SAST, DAST, checking IaaC scripts, checking K8 clusters, docker images
5) Accessibility Testing to comply with WCAG guidelines
6) API testing
The duration of SCA scanning is going to vary depending on things like the size and complexity of the application being scanned, the depth of the analysis required, and the capabilities and performance of the SCA tool being used. That last piece can be crucial and is a good reason to do a PoC or at least some trial runs of any solution you are considering.
In general, an SCA scan can take anywhere from a few seconds to several hours or even days, depending on the size of the codebase and the scope of the analysis. However, many SCA tools are designed to optimize their performance and reduce scanning times by focusing on critical vulnerabilities first, performing incremental scans, and providing parallelization capabilities.
Speed can also depend on the stage at which you're scanning. IDE scanning is generally going to be the fastest. Shared pipeline scans will take longer and full production scans are going to take the longest.
Obviously, speed is important, but fast without accuracy isn't going to do the job, so that's another aspect to keep in mind. Over time, the number of false positives should decrease as your devs learn better coding practices and you learn to configure your scanner for your particular environment.
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.
Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why.
You can read user reviews for the Top 5 Software Composition Analysis (SCA...
The world of technology is constantly undergoing both evolutions and revolutions. It is always difficult to know just what kinds of changes and innovations each year is going to bring. The fields of Development and Operations (DevOps) and Development, Security, and Operations (DevSecOps) are two examples where the best people can do is offer their predictions of what might be in store.
PeerSp...
Open Source licenses require management and not just tracking.
xGPL license is the 3rd most popular license in use. Alerting or blocking all xGPL licenses will be hard to manage and very costly to avoid/replace.
The best way is to implement an Open Source management program based on 4 main pillars: Written open source policy, open source use process, SCA tool (not necessarily a commercial one), and Training.
The policy should define the licenses approved for use based on the actual use case (internal/saas/distribute)
The process should clear the actions for open source selection, use, modification, update, etc
The tool should allow visibility of all open source components in all stages (plan, dev, production, etc) with alerts on policy violations.
The training should cover policy, process, and tool usability - it is mainly for the developers.
The management program needs to be operated by an open source program officer which will be supported by legal, information security & software architects.
When a company doesn’t have the relevant competencies to manage open source internally they need to have on their side a trusted experienced advisor who knows how to do it effectively.
There are best practice standards for open source management like ISO5230 and its security assurance extension.
We have used the following tools and they work well in giving a detailed licensing posture for open-source libraries - WhiteSource/Mend and CAST HL. Both of them give what licenses are in use and whether they are risky or ok to use.
For example, GPU license is always risky and it flags its usage in RED.
Recent example around this:
"Vocal deepfake generator Voice AI Inc is accused of stealing GPL and LGPL code—by using it in violation of the licenses. Notably, the company doesn’t make available the source code of its product, as required by the GPL.
Voice.ai has been found to have violated the terms of the GPLv3 and LGPLv2.1 licenses in its software. In short, they’ve been packaging the open-source libraries that enable the software without adhering to their [license] terms.
The company had integrated code from Praat, a widely-used open-source speech analysis software, and libgcrypt, a cryptographic library, in its proprietary software without releasing the source code of its software or providing proper attribution."
The best way to track free and open source software (FOSS) license compatibility is with a software license compatibility tool or a software composition analysis tool. It may depend on your budget and the size of your dev environment.
Another option is a license compatibility matrix. These solutions give you a view of FOSS compatibility with each other and help you figure out the various software components, that are under different licenses, that you can use together in a project. Possibilities include SPDX license list, Tidelift license finder, and FOSSology.