With open source software becoming part of the computing fabric of how companies create, share and distribute software, and the popularity of open source first and upstream first policies, it is becoming extremely hard to find a company that does not rely on open source software in their products and services.
This massive adoption of open source has contributed vastly to the software composition analysis industry as most corporate transactions including software now mandate a complete scan of the source code base and the identification of open source software.
In December 2017, FOSSID’s CEO Oskar Swirtun along with Ibrahim Haddad (then, VP of R&D at Samsung) delivered a talk on this topic at the Linux Foundation’s Open Compliance Summit entitled “Open Source Audits in M&A Transactions“. Since then, we have seen and experienced an uptick in discussions and presentations at various events on the same topic and decided to revisit via our blog and highlight our services in this area.
“Blind Audits” by FOSSID
Early 2018, the Linux Foundation published the e-book “Open Source Audits in Merger and Acquisition Transactions“, providing an overview and practical guide to open source audits in merger and acquisition transactions. It offers basic guidelines to improve open source compliance preparedness, and describes three audit models typically adopted by software composition analysis companies:
- Traditional audits, in which the auditor gets complete access to all the code and executes the audit either remotely or on site.
- Blind audits, in which the auditor does the work remotely and without ever seeing the source code, and
- Do-It-Yourself (or DIY) audits, where the target company or the acquirer performs most of the actual audit work themselves using the tools with the option for a random verification of results from the auditing company.
Due to security concerns surrounding M&A transactions, FOSSID have designed and implemented a way to perform audits and generate reports without looking at the target source code.
The following figure illustrates the process of the blind audit method, available only from FOSSID.
Outcomes of FOSSID’s Audit Service
FOSSID’s audit services provide you with accurate and timely open source analysis with the highest confidentiality. Our team of experts has several years of experience and performs trustworthy audits with the FOSSID open source compliance tools. The output of an audit service includes a range of comprehensive reports.
- Open Source Inventory or Bill-of-Materials (BoM) report of all detected 3rd party open source components, files, and even copy-pasted code snippets.
- Security Vulnerabilities and Exposures Report (CPE-CVE) against the National Vulnerability Database (NVD) and other sources.
- Industry standard Software Package Data Exchange (SPDX) report (can be easily imported into compliance tools for future due diligence).
- Executive Summary.