We’ve moved on from the age-old argument on whether Open Source Software is needed for software development. As we understand, 70-80% of all software produced comprises of Open Source Components. These components often come with specific licensing requirements, one of which is the need to provide proper copyright attribution to the original authors. This ensures that the creators of the open source software receive recognition for their work, fostering a culture of respect and appreciation within the developer community.
Accurate copyright attribution is not just a matter of legal compliance; it also plays a crucial role in maintaining transparency and trust. By clearly stating the origins of the code being used, software vendors can demonstrate their commitment to ethical practices and open source principles. This transparency can strengthen relationships with customers, partners, and the wider developer community.
Given this context, we’re excited to introduce a new feature in Code Insight that ensures software vendors can include accurate copyright statements in their SBOM reports.
Our new feature addresses these needs by automating the extraction and collection of copyright statements during the scanning process. This not only streamlines the process for software vendors but also ensures that all necessary attributions are included in the reports. As a result, our users can confidently use open source components, knowing that they are fully compliant with licensing requirements and honoring the contributions of the open source community.
How It Works
Revenera’s enhanced scanning process now extracts copyright statements directly from the source code of open source components and associates them not just with files as before, but isolates them and attaches them to the corresponding Open Source Components (inventory items). However, some components may not have copyright statements explicitly stated in the source code. For example, in cases where a manifest file is being scanned and the dependencies are pulled from the package managers like NPM or NuGet etc. Therefore, to ensure comprehensive coverage, we’ve implemented a data collection exercise to gather copyright statements from the original notices declared by open source developers, delivering them directly to Code Insight using our Electronic Update system.
The extracted and collected copyright statements are displayed in the new copyright field within the inventory items. This visibility helps software vendors easily include the necessary copyright information in their SBOM reports.
Enhanced SPDX Reports
In addition to displaying copyright information with the inventory items, SPDX reports will now also include these copyright statements. This ensures that all reports generated with our SCA product are compliant and comprehensive.
We’re confident that this new feature will significantly improve the compliance process for our users. By ensuring accurate copyright attribution, we’re helping software vendors honor the work of open source developers and meet legal requirements effortlessly.
Give this new feature a try and let us know how it enhances your workflow!
