managing open source software license compliance with dejacode
TRANSCRIPT
Copyright 2015 nexB Inc.
Managing open source software license compliance with DejaCode
June 2015
Copyright 2015 nexB Inc.
Agenda
• About nexB• Software Component Management• DejaCode• Trial• Identification as a Service
- DejaCode is a Trademark of nexB Inc.
Copyright 2015 nexB Inc.
About nexB
• Our business is software component managemento Current focus on managing license compliance risks o Primary product is an enterprise system for tracking all software
components in your products,o Plus practical solutions for integrating software engineering
systems with enterprise systems
• We offer:o DejaCode™ - SaaS or on-premiseso Open Source discovery and identification services (a.k.a. software
audit, scanning) for products and acquisitionso Open Source scanning and attribution generation tools
• We are:o Software provenance analysis expertso Active open source developers & Linux Foundation membero Co-founders of SPDX project - http://spdx.org/
Copyright 2015 nexB Inc.
• Most companies have software component data in many formats in many places without approval process for third-party codeo Components in Version Control systems and Reposo Reports from internal and/or external software auditso FOSS disclosures from supplierso Contracts for proprietary components
Software Component Data Management
Page Content Copyright 2010 by Linux Foundation
Copyright 2015 nexB Inc.
• Organizing and sharing software component data is becoming a bigger problem than acquiring it
• nexB created DejaCode to address this problemo Import data from any system or sourceo Manage data by Product with approval workflowso Automate compliance with FOSS obligations
Software Component Data Management
Copyright 2015 nexB Inc.
DejaCode
Product Portfolio
Component Catalog License Library
Copyright 2015 nexB Inc.
DejaCode - Product Portfolio
• Record a Software Inventory for a Development codebase
• Record a Software Bill of Materials for a Product Release
• A Software Inventory or BOM can include:
o Your original components
o Third-party components
o FOSS components
• Import data from software audits or source code management systems
Copyright 2015 nexB Inc.
DejaCode - Component Catalog
• Catalog of open source, third-party and other software components
• Data includes: origin, author, license, URLs, language, functionality, usage etc.
• Apply your policies to components – Approved, Prohibited or Review Required
• nexB provides and updates master data from public sources (e.g. OSS and free proprietary)
• You can add your own component data elements
Copyright 2015 nexB Inc.
DejaCode - License Library
• Library of open source and other software licenses
• Data includes full license text, author, URLs, definition of obligations, restrictions and other terms
• Apply your policies to licenses – Approved, Prohibited or Review Required
• nexB provides and updates master data from public sources (e.g. OSS and free proprietary)
• You can add your own license data elements
Copyright 2015 nexB Inc.
DejaCode - Technology
• Browser-based application• Written in Python in Django framework• PostgreSQL database• Runs on Linux (Ubuntu as primary distro)
Copyright 2015 nexB Inc.
• Delivered as a Service with your “private” databaseo http://www.dejacode.com/ o Pricing: Four subscription options - http://www.dejacode.com/
pricing.html
• On-premises option• 30 Day trial - http://www.dejacode.com/trial.html
• Free personal edition to view DejaCode component and license datao https://enterprise.dejacode.com/o No registration required
• ContactPierre Lapointe, Customer Care Manager
[email protected] / +1 (415) 287-7643
Trial
Copyright 2015 nexB Inc.
nexB: Identification as a Service
• Comprehensive process• Inventory of all OSS and third-party components in Development
codebase(s)
• Bill of Materials for Deployed product components
• Combination of tools• ScanCode (primary tool)
• Other tools used as required by a customer (open source or commercial)
• 2 to 4 week process, fixed fee quote
• We identify specific Issues and recommended Actions for resolution
Copyright 2015 nexB Inc.
Glossary / Acronyms
• Software Provenance: • Provenance = Place of source or origin, history of ownership• You need to know the origin/author of a component (e.g. Apache
Foundation) in order to know the license• and how you may have acquired a copy – from a forge or website
or a supplier or ?
• FOSS: Free and Open Source Software• Includes free, but not open source, components like Oracle/Sun
Java libraries under the Binary Code License
• SPDX: Software Package Data Exchange • http://spdx.org/ • Emerging standard for exchanging software license data• Sponsored by Linux Foundation