As open source software has become more pervasive, so have the tools that promise to scan and audit the code for compliance. But the sources and complexities inherent in these code bases have only gotten more difficult to assess.
That’s why we’ve sourced 10 tips for evaluating code scanning tools from compliance expert Ibrahim Haddad’s Linux Foundation paper “Open Source Compliance in the Enterprise.”
- Size the knowledge base against which scanned code is being compared. There are trillions of lines of open source code and ½ trillion code snippets. Make sure your tools partner can go this deep.
- Ensure there are frequent updates to the knowledge base.
- Support for different audit models/methods, including traditional, blind and Do It Yourself.
- Time is always squeezed, especially during M&A. Make sure your tools partner has the speed required to scan for the same loads.
- Make sure to ask about deployment models – local, cloud and hybrid.
- Code snippets are often overlooked but are just as important as the rest. The tools should be able to identify snippets.
- Minimize manual labor among your staff with a tool that has the ability to do auto-identification and training time with an intuitive UI that minimized learning curve. A good compliance partner should increase the time for your team to work on other things.
- Support for vulnerability discovery.
- Cost to deploy tools in terms of number of servers needed.
- Ability to use the tool for M&A transactions. You don’t want to be caught off guard with the wrong tool with M&A comes knocking at your door.
We hope this can give you a quick reference as you embark on your tools assessment.