June Newsletter: The Latest Buzz in Software Composition Analysis Professional Services

In The News

Software Composition Analysis Certification for Legal Professionals

Log4j: Come out, come out wherever you are!

Spring4Shell: Deep breath. Don’t panic. Mitigate.

Field Notes: Understanding GPL Linking Exceptions

The Legal Side of of Compliance and Security in M&A and Software Auditing (Panel Discussion)

Trends

2021 – 2022 Audit Results:

  • Lines of code audited in 2021 – ~3 Billion
  • Priority Issues
    • Priority 1 – items containing Copyleft/Viral Style licenses such as: Affero General Public License, General Public License, Lesser General Public License, Common Development and Distribution License, Mozilla Public License, Eclipse Public License (4.1%)
    • Priority 2 – items containing lesser known/less common open source licenses or “vanity/strange” licenses, Commercial Licenses, items with no known license/Unknown license (2.5%)
    • Priority 3 – items containing permissive style licenses; typically requiring a simple attribution in the product or documentation: BSD, MIT, Apache, Public domain (92.5%)*
    • Priority 4 – items containing dual/tri licenses with viral license and permissive license options: jQuery-MIT or GPL (0.9%)

*Majority of the Priority 3 items originate from various types of dependencies packages such as Node Modules, PyPI, Go, etc… 

  • Known vs. Unknown/Undisclosed OSS Uncovered
    • Known/Disclosed – 5.6%
    • Unknown/Undisclosed – 94.4%
    • On average, codebases were made up of ~68.8% of open source. Overall, companies are still struggling with understanding what goes into their code.  The only way to truly know what makes up a codebase and to produce a complete and accurate SBOM is by conducting a thorough audit analysis. 
  • Baseline Audits vs. M&A Audits
    • Internal Baseline Audit – Revenera will get you to a secured and compliant state by identifying all major open source and commercial components in your applications, and report on evidence of copyright detection, license detection, exact file match to known open source content, and email/URL detection in both source code and binary files. At the end of the engagement Revenera can either produce a report with a complete and accurate SBOM or similar results loaded in customer’s installation of Code Insight.  The most common situations for requesting a baseline audit: IP litigation, supplier code, key development milestones, open source projects.  Requires 2-way NDA.  Data retention likely for future incremental scans.  Multiple phases possible.
    • M&A Audit – Revenera’s software and audit teams serve as an independent third-party to help your business, legal, security, and engineering teams. At the end of the engagement Revenera will produce a report with a complete and accurate SBOM that can be used during the due diligence M&A process.  The most common situations for requesting a baseline audit: M&A, divestiture, investment.  Requires 3-way NDA.  Data retention possible, but unlikely.  
  • In 2021 and early 2022 we saw increased demand for Forensic Audits (snippet analysis).
  • Almost every codebase contains 3rd party dependencies – Node Modules, PyPI, Golang packages, Ruby Gems.
  • Increase of Statically typed languages, such as Golang & Rust and their package management tools.
  • Significant rise in deployment scripts and build systems from Recipes- Helm, Chef, Docker files, etc.

Need Help?

Mergers & Acquisitions

While Merger and Acquisition (M&A) events create opportunities for both buyers and sellers, they also present challenges, particularly around Intellectual Property (IP) integrity. Open source software due diligence to protect a company’s IP should be a standard process in all M&A efforts. Revenera provides professional audit services to minimize risk and accelerate decision-making during M&A transactions.

  • Join us for an upcoming Open Source Exchange on June 28th. A panel of experts will discuss:
    • Typical M&A relative to compliance and security
    • The role of open source software audits in due diligence events
    • The evolution of open source licenses
  • Are you a legal professional? Take this course intended for legal counsel to acquire Revenera certification for Open Source Software (OSS) use within internal applications, for M&A and other due diligence efforts, and in product development and distribution.
  • Contact us if you have questions about our M&A audit services.

 Open Source Audits

Revenera’s team of auditors have examined tens of thousands of software projects in the past 15+ years while helping customers understand the composition of their source code-both open source licenses and obligations, and open source security issues.

Check out our data sheet and feel free to contact our team of auditors if you have questions.

Leave a Reply

Your email address will not be published.