Snippets of Experimental Deprecated Code Put Company Acquisition at Risk

FossID Auditor Big Save

Successful software composition analysis requires not only great technology, but also human expertise as well. Our team of open source auditors have made many “big saves” for our clients – catching unusual and elusive license compliance and security vulnerability issues that could have otherwise caused major problems. Here’s one such FossID Auditor Big Save.

SITUATION

A cloud software company sought to acquire and integrate a provider of customer engagement technology. A technical due diligence process was initiated to identify any potential risks in the software assets to be acquired.

CHALLENGE

The acquiring company must weigh the legal, security, and operational risks against the benefits of the acquisition and plan accordingly to mitigate these risks effectively. They chose FossID to proceed with a full source code audit review to search for such issues.

The software development team utilized Java code containing snippets of deprecated code sourced from an experimental web tool kit which was under an old weak copyleft license, namely SPL 1.0 and his since been removed from all public repos.

THE SAVE

The FossID audit team initiated a detailed scan using FossID’s software composition analysis (SCA) technology and discovered seemingly innocuous Java code snippets sourced from an experimental toolkit no longer in use and under an outdated SPL-1.0 license. This finding highlighted potential license compliance and security challenges.

These snippets were linked to the Brazil project, an experimental web toolkit developed by Sun Microsystems, under the now obsolete SPL-1.0 license.

The Brazil project was an early web application framework designed for building flexible, scalable, and secure network services. Despite its innovative approach at the time, the Brazil project was eventually deprecated, leading to potential risks in software that still incorporated its components.

FossID SCA scanned and found these traces. FossID auditors then conducted meticulous research by delving into historical data to assess the component’s impact. Using resources like the Wayback Machine, we accessed archived web pages of the Brazil project available at https://web.archive.org/web/20010215032609/http://www.sun.com/research/brazil/ . Our auditors then analyzed the component within its original context, understand its functionality, and evaluated any security or compliance risks associated with its usage in the client’s software.

By examining the Brazil project in its historical context, we could provide the client with comprehensive insights into potential vulnerabilities, outdated practices, and compliance issues.

FossID Workbench is our flagship solution that provides a graphical user interface on top of our core components – the FossID CLI (command line interface), License Extractor and Dependency Analysis. Workbench makes it easy for you to manage projects, configure scans, analyze output, administer policies and generate reports.

These snippets, under the now obsolete SPL 1.0 license, were ticking time bombs in terms of security and compliance.

These risks included:

  • operational inefficiencies due to lack of documentation and community support;
  • security vulnerabilities and regulatory compliance issues due to lack of future updates;
  • legal risk posed by license compatibility issues since SPL may not be compatible with other open-source licenses;
  • unclear patent grant because of the obsolete SPL 1.0 license
BUSINESS IMPACT

The FossID auditors, backed by FossID Workbench, were able to help the business mitigate the risks associated with the acquisition.

Furthermore, FossID’s software auditors recommended the company mitigate potential risks by taking the following actions:

  • conduct a thorough code review with frequency so that any future changes can be flagged;
  • update obsolete sections and deprecated code components;
  • establish ongoing maintenance practices to ensure code relevance and security;
  • check the header of the imported files within the source code to detect issues;
  • remove any non-compliance components or files under certain restrictive licenses.

Note: Specific company names and descriptions have been withheld for confidentiality.

FossID provides Software Composition Analysis (SCA) tools and expertise trusted by enterprise software teams worldwide. Deliver complete SBOM reports with confidence for greater license compliance and application security without disrupting your productivity. Learn more about our product and service.

Let’s Talk

Our team of experts will take you on a guided tour of all the amazing things FossID can do. We look forward to meeting you!

Read Other Case Studies

wpChatIcon