nexB - Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

© 2014 nexB Inc.

Agenda •  About nexB

–  What nexB does –  Our experience

•  Software Provenance Analysis and Code Audit –  Software Audit Process –  Software Audit Tools –  License Violation Risks & Recent Audit Issues

•  Additional Information –  Why nexB? –  Contact us –  Lessons Learned

© 2014 nexB Inc.

What nexB does •  Enable component-based

software development –  Software provenance

analysis services –  Software asset management

tools

•  Software audit services –  Acquisitions –  Software product

releases

•  Active OSS developers •  Expertise in all software IP

About nexB

© 2014 nexB Inc.

Our experience is our difference •  nexB recognized by clients as:

–  experts in software origin analysis –  a fair and trusted intermediary

•  nexB identifies issues along with practical remediation steps

•  350+ software audit projects completed to-date

About nexB

© 2014 nexB Inc.

Software Audit Process Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Software Analysis Scope

Original Code

Open Source Code

Commercial Code

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Software Analysis Deliverables •  Complete inventory of OSS and third-party components in

Development codebase(s) •  Bill of materials for Deployed product components •  Specific Action items and recommended actions for

resolution –  Including possible exposure for older product versions –  Detailed analysis for copyleft “contamination”

•  Checklist of commercial components as input for contract review

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Preparation – 1 week (1/2) •  Establish NDA •  Scope audit effort

–  Audit profile (questionnaire) –  Size of code base - # files and lines of source code –  Disclosure of known third-party and open source software –  Onsite or remote access to the code

•  Prepare/agree quote – always fixed fee, no surprises •  Schedule project

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

License & Origin Analysis – 2 weeks (1/2) Analysis Activities •  Discovery: scan files for license, copyright and other origin clues

•  Identification: match target code to reference code repository for origin and license detection (based on digital “fingerprints”)

•  Map Deployed code to Development code to: –  Validate that we have a complete Development codebase –  Filter issues based on the effective Deployed/Distributed code

•  Analyze software interaction and dependency patterns for copyleft-licensed components as needed

•  Additional domain-specific investigations typically for embedded devices and applications of media codecs

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

License & Origin Analysis (2/2) Results •  Software Inventory and Bill(s) of Materials •  Draft Action items & recommendations

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Review & Report – 1 week (1/2) Activities •  Review draft findings with product team

–  Ask product team to respond to each Action item •  Accept recommended solution or propose another approach •  Acknowledge & investigate •  Not a request to fix anything during the audit

–  Incorporate feedback and answers from product team into the Software BOM and Report

•  Complete final report

–  Second review cycle with product team –  Release the report –  Conference call with you to present findings & answer questions

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Review & Report (2/2) Results •  Final Software Inventory / BOM spreadsheets •  Final Report - narrative with executive summary, project

data and summary of the Action items and Responses

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Software Audit Tools •  nexB typically uses a combination of tools for a software

audit –  Our own DejaCode™ toolkit is the primary tool –  Other tools used as needed or as licensed by a customer (open

source or commercial) •  Multiple layers of analysis

–  Discovery: direct scan for license and copyright notices –  Identification: component matching for open source and publicly

available third-party components (freeware/proprietary) –  Analysis of source code and pre-built libraries (binary) –  Interaction and dependency analysis as needed

•  Review and validation by software experts •  All require expert humans to interpret the results!

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

License Violation Risks Software Provenance Analysis and Code Audit

source code available

source with limitations

(Proprietary)

Copyleft

FOSS

Attribution

Binary-only (Proprietary)

Free Software

Freeware / Shareware

many Javalibraries

Microsoft shared source

SunSCSL

GNU GPL GNU LGPL

MPL CDDL

BSD MIT Apache EPL

Adobe Reader

© 2014 nexB Inc.

Recent Audit Issue Examples •  Dependency Issue “Workarounds”

•  License violation

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Emerging Audit Issue Examples •  Cloud computing and Dual Licensing

•  Personal Devices and Application store markets

Software Provenance Analysis and Code Audit

© 2014 nexB Inc.

Why nexB (1/2) 100% of our customers are repeat customers and references

We have a balanced approach –  Automated code analysis AND analysis by software experts –  Direct consultation with engineering, management and legal teams –  Concrete Action items with recommended nexB action resolution

Additional Information

© 2014 nexB Inc.

Why nexB (2/2) •  Trusted third party

–  Mitigates confidentiality concerns –  Enables objective analysis with appropriate consideration of

feedback from all parties

Additional Information

© 2014 nexB Inc.

Contact us Contact person:

Pierre Lapointe, Customer Care Managerplapointe@nexb.com+ 1 415 287-7643

More information:

http://www.nexb.com/

Additional Information