FOSSID’s audit services provide you with accurate and timely open source analysis with the highest confidentiality. Our team of experts performs trustworthy audits thanks to years of experience as well as our range of tools for open source scanning and vulnerability detection based on the most extensive open source knowledge base on the market.
What Do You Get?
Open Source Software Audit includes the examination and verification of open source components that reside in the analysed code base, even if they are not declared in package manifests. The output of the audit includes a range of comprehensive reports:
Open Source Inventory or Bill of Materials (BoM)
A list of 3rd party open source components (including binaries, files and even code snippets) and the corresponding software licenses and copyright holders. This report is generated according to the Software Package Exchange (SPDX) specification.
License Obligations & IP Issues
An exhaustive description of the license obligations attached to the open source inventory in a human readable format, as well as the outstanding IP issues found during the audit process: from potential license propagation and license incompatibility to patent retaliation and DRM removal.
A detailed list of security vulnerabilities and exposures (CVEs) included in the open source inventory, along with enhanced information such as severity scores, impact ratings and even fix information if any.
Risk & Cost Analysis
This analysis helps you understand and manage potential liabilities associated with the open source components included in the analysed software. It provides you with a risk and cost assessment of the components based on a collection of informed intelligence about the community behind (e.g. number of contributors and contributions, issue tracking statistics, response time, etc).
Furthermore, our team of experts will typically transfer not only this list of comprehensive reports as the result of the analysis, but also all the knowledge acquired during the process, which will help your organization handle similar situations in the future.
How Long Does It Take?
Because we understand that time is critical, we can start audits immediately after the first contact. The scope and depth of the analysis is dependent to the time available, and it covers from open source inventory and outstanding IP issues to security vulnerabilities and risk analysis.