How to Manage Open Source Requirements with AboutCode

How to Manage Open Source Requirements with AboutCode

Agenda• About nexB• Attribution Generation with AboutCode• Q&A

How to Manage Open Source Requirements with AboutCode

About nexB• Our business is software component management with a focus

on managing license compliance risks • Offering

o DejaCode™ - SaaS or on-premiseso Open Source audit serviceso Open Source scanning (ScanCode) and attribution generation tools

(AboutCode)• We are

o Software provenance analysis expertso Active open source developers & Linux Foundation membero Co-founders of SPDX project - http://spdx.org/

How to Manage Open Source Requirements with AboutCode

AboutCode and DejaCodenexB offers two OSS Compliance solutions:• AboutCode for engineering/product teams

o Basic system that can be adapted for any technology platform or language

o Can be integrated into build systemso Open source license – Apache 2.0

• DejaCode for the enterpriseo Enterprise application designed for use by legal, engineering and

business staff across all products and technologieso Import data from any engineering-level system and from external

sources (system of record for product releases)o Subscription for SaaS (or on-premises)

How to Manage Open Source Requirements with AboutCode

AboutCode• nexB created the AboutCode tools to automate OSS compliance

o Based on ABOUT specification v1.0o An ABOUT file documents the origin and license for each component,

usually at the library or directory levelo An ABOUT file = text file with file extension “.ABOUT”o Applicable to any programming language and software development

environmento Extensible for build system integration for advanced automationo Currently offered as command line tools

• Written in Python and licensed under Apache 2.0• Code and specification available at

https://github.com/dejacode/about-code-tool

How to Manage Open Source Requirements with AboutCode

AboutCode Compliance Lifecycle

How to Manage Open Source Requirements with AboutCode

ABOUT File ExampleA text file in tag / value format:httpd-2.4.3.tar.gz.aboutname: Apache HTTP Serverhome_url: http://httpd.apache.orgdownload_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gzversion: 2.4.3date: 2012-08-21license: apache-2.0license_file: httpd-2.4.3.tar.gz/LICENSEcopyright: Copyright 2012 The Apache Software Foundation.notice_file: httpd-2.4.3.tar.gz/NOTICE

How to Manage Open Source Requirements with AboutCode

AboutCode tools• Create ABOUT files inside a codebase from a Software BOM or

Inventory file (spreadsheet or other)• Create a Software BOM or Inventory file (spreadsheet or other)

from ABOUT files in the codebase• Generate an Attribution Notices file

o Text file organized by copyright/license notice and componento Default text or HTML format

• Generate a Source Code Redistribution package list

How to Manage Open Source Requirements with AboutCode

AboutCode Demonstration• Example based on e2fsprogs project

o Package included in most Linux distributions o Set of utilities under different licenses

• Software Inventory file to create ABOUT files• ABOUT files as created• Generated Attribution Notice

9

How to Manage Open Source Requirements with AboutCode

Questions

How to Manage Open Source Requirements with AboutCode

ContactsnexB Inc. http://www.nexb.com/ http://www.dejacode.com/http://www.aboutcode.org/

Pierre Lapointeplapointe@nexB.com +1 415 287 7643