Open Source Audit Preparation for M&A Transactions

Getting ready for open source software compliance due diligence as part of an M&A transaction is not too difficult if…

Getting ready for open source software compliance due diligence as part of an M&A transaction is not too difficult if you have an open source program that manages your open source software usage, compliance and contribution. However, if you don’t have such a program and you need to establish a functioning program quickly, here are some tips to get you started.

What are the core building blocks you should establish to help you find all open source software in your codebase and pass an open source due diligence?

Audit Your Entire Codebase

You need to maintain a complete software inventory for all software components including their origin and license information. How do you achieve this? By running an audit on the complete codebase. The goal is this exercise is twofold:

  1. First, it will allow you to establish baseline compliance for your software stack, from which you can just simply do incremental compliance scans for any new code entering the stack.
  2. Second, it will provide you with a Software Bill of Materials (SBOM) that lists all open source software, their origin packages and license information, which is a required artifact in any type of open source due diligence as part of an M&A transaction.

Establish an Open Source Policy and Process

Given the widespread use of open source, it is almost impossible for any organization creating products or offering software-based services (regardless of industry) not to incorporate open source code in their product or service applications. Therefore, as part of M&A transactions, it is expected that the company (subject to the due diligence) showcases their open source policy and process as part of the due diligence. Hence, the need to establish a lightweight open source policy and process while not adding additional burden to your development teams. Simply put, the policy outlines the set of rules that govern the management of open source software and the process details how the organization will implement these rules.

Appoint a Resource to Oversee Open Source Management

In large enterprises, the open source compliance team is a cross-disciplinary group of individuals tasked with the mission of ensuring open source compliance and overseeing the use of and contribution to open source projects. However, in smaller companies or startups, this can be as simple as an engineering manager supported with a legal counsel ensuring that all execution around open source software is in line with the company policy.

Provide Basic Training on Open Source, Compliance and Company Policy

Education is an essential building block in any compliance program to ensure that employees possess a good understanding of the company’s policy and process. In this specific context, the goal of providing open source and compliance training is to raise awareness of the company’s open source strategy, policy and process, and to build a common understanding of open source licensing. It’s important to note that there are many free and trusted education resources available for use. For example, the Linux Foundation offers free training on open source compliance targeted for developers. So, we encourage you to explore such resources.

Adopt Tools to Increase Automation and Efficiencies

Organizations often use tools to automate source code audits to discover open source code, identify their licenses and compile a list of notices that should be made available to the end users. FossID is a Software Composition Analysis tool to consider. You can contact us for a personalized demo of our solution and offer you a trial license to take our tool for a test drive.

Use Latest Releases of Open Source Soffware Packages for Security Purposes

One of the benefits of using an integrated software composition tool is the ability to scan code for known security vulnerabilities, discovering versions of open source components that have security vulnerabilities and resolving these vulnerabilities most often by either a patch or by upgrading to the latest version. The goal of such an exercise is to eliminate the presence of any currently known vulnerabilities in used open source software. As a result, the M&A due diligence will showcase that you have done that exercise, and it is part of your ongoing software development lifecycle (SDLC) process.

Self-Certify With OpenChain

The OpenChain Project is home to the OpenChain ISO 5230, an international standard for open source license compliance. It offers a free online self-certification that organizations can go through to demonstrate their existing open source compliance practices as defined by the standard. It is a great starting point for organizations to self-assess their internal compliance implementation and identify areas for improvements. It is also very helpful to go through the self-certification and provide the results as part of the due diligence. Optionally, there are several OpenChain partners who can be hired to perform that exercise as an independent party.

Open Source Audit Preparationfor M&A Transactions

Open Source Audit Preparation for M&A Transactions

Open Source Audits by FossID

FossID’s open source audit services help you understand which open source components exist in the audited software codebase, and if it is compliant with the discovered license requirements. We have pioneered an innovative approach that we call a “Blind Audit” which allows us to perform audits and generate reports without ever exposing your source code.

You can read more about it at Are you looking for fast, accurate, and easy open source software audits for M&A transactions? Contact us to learn more.

Additional Information

FossID Team​

The FossID Team byline indicates this article reflects the collective work of the FossID team. With nearly a decade of expertise delivering open source auditing services, FossID is a pioneer in the critical field of software auditing and compliance. FossID’s Software Composition Analysis (SCA) tool, Workbench, and professional services are designed to ensure comprehensive open source compliance and security in software development.

Other Articles relevant