nexB - Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
© 2014 nexB Inc.
Agenda • About nexB
– What nexB does – Our experience
• Software Provenance Analysis and Code Audit – Software Audit Process – Software Audit Tools – License Violation Risks & Recent Audit Issues
• Additional Information – Why nexB? – Contact us – Lessons Learned
© 2014 nexB Inc.
What nexB does • Enable component-based
software development – Software provenance
analysis services – Software asset management
tools
• Software audit services – Acquisitions – Software product
releases
• Active OSS developers • Expertise in all software IP
About nexB
© 2014 nexB Inc.
Our experience is our difference • nexB recognized by clients as:
– experts in software origin analysis – a fair and trusted intermediary
• nexB identifies issues along with practical remediation steps
• 350+ software audit projects completed to-date
About nexB
© 2014 nexB Inc.
Software Audit Process Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Software Analysis Scope
Original Code
Open Source Code
Commercial Code
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Software Analysis Deliverables • Complete inventory of OSS and third-party components in
Development codebase(s) • Bill of materials for Deployed product components • Specific Action items and recommended actions for
resolution – Including possible exposure for older product versions – Detailed analysis for copyleft “contamination”
• Checklist of commercial components as input for contract review
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Preparation – 1 week (1/2) • Establish NDA • Scope audit effort
– Audit profile (questionnaire) – Size of code base - # files and lines of source code – Disclosure of known third-party and open source software – Onsite or remote access to the code
• Prepare/agree quote – always fixed fee, no surprises • Schedule project
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
License & Origin Analysis – 2 weeks (1/2) Analysis Activities • Discovery: scan files for license, copyright and other origin clues
• Identification: match target code to reference code repository for origin and license detection (based on digital “fingerprints”)
• Map Deployed code to Development code to: – Validate that we have a complete Development codebase – Filter issues based on the effective Deployed/Distributed code
• Analyze software interaction and dependency patterns for copyleft-licensed components as needed
• Additional domain-specific investigations typically for embedded devices and applications of media codecs
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
License & Origin Analysis (2/2) Results • Software Inventory and Bill(s) of Materials • Draft Action items & recommendations
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Review & Report – 1 week (1/2) Activities • Review draft findings with product team
– Ask product team to respond to each Action item • Accept recommended solution or propose another approach • Acknowledge & investigate • Not a request to fix anything during the audit
– Incorporate feedback and answers from product team into the Software BOM and Report
• Complete final report
– Second review cycle with product team – Release the report – Conference call with you to present findings & answer questions
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Review & Report (2/2) Results • Final Software Inventory / BOM spreadsheets • Final Report - narrative with executive summary, project
data and summary of the Action items and Responses
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Software Audit Tools • nexB typically uses a combination of tools for a software
audit – Our own DejaCode™ toolkit is the primary tool – Other tools used as needed or as licensed by a customer (open
source or commercial) • Multiple layers of analysis
– Discovery: direct scan for license and copyright notices – Identification: component matching for open source and publicly
available third-party components (freeware/proprietary) – Analysis of source code and pre-built libraries (binary) – Interaction and dependency analysis as needed
• Review and validation by software experts • All require expert humans to interpret the results!
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
License Violation Risks Software Provenance Analysis and Code Audit
source code available
source with limitations
(Proprietary)
Copyleft
FOSS
Attribution
Binary-only (Proprietary)
Free Software
Freeware / Shareware
many Javalibraries
Microsoft shared source
SunSCSL
GNU GPL GNU LGPL
MPL CDDL
BSD MIT Apache EPL
Adobe Reader
© 2014 nexB Inc.
Recent Audit Issue Examples • Dependency Issue “Workarounds”
• License violation
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Emerging Audit Issue Examples • Cloud computing and Dual Licensing
• Personal Devices and Application store markets
Software Provenance Analysis and Code Audit
© 2014 nexB Inc.
Why nexB (1/2) 100% of our customers are repeat customers and references
We have a balanced approach – Automated code analysis AND analysis by software experts – Direct consultation with engineering, management and legal teams – Concrete Action items with recommended nexB action resolution
Additional Information
© 2014 nexB Inc.
Why nexB (2/2) • Trusted third party
– Mitigates confidentiality concerns – Enables objective analysis with appropriate consideration of
feedback from all parties
Additional Information
© 2014 nexB Inc.
Contact us Contact person:
Pierre Lapointe, Customer Care [email protected]+ 1 415 287-7643
More information:
http://www.nexb.com/
Additional Information