Open Source Audits

FOSSID’s open source audit services help you understand which open source components that reside in the audited software code base, and if it is compliant with the discovered license requirements.

FOSSID Blind Audits

Due to security concerns surrounding M&A transactions, we have designed and implemented the ability to perform audits and generate reports without looking at the target source code. This is commonly referred to as a “blind audit” (as opposed to traditional and do-it-yourself audits).

FOSSID Blind Audit Reports

The output of an audit service includes several comprehensive reports, giving you full insight into which open source components, files and snippets that reside in the audited code base, together with their origins and licenses.

Open Source Inventory or Bill of Materials (BoM)

The BoM report lists all detected 3rd party open source components, files, and copy-pasted code snippets. Its interactive capabilities facilitate the filtering and reviewing of the audit findings, and the creation of follow-up actions.

Software Package Data Exchange (SPDX)

SPDX is an industry standard format for communicating the components, licenses and copyrights associated with software packages. This report is essentially a software inventory XML file that can be imported into other tools.

Security Vulnerabilities Report (CPE-CVE)

This report lists all detected security vulnerabilities and exposures (CVEs) and corresponding Common Platform Enumerations (CPEs) according to the National Vulnerability Database (NVD) and other sources.

Executive Summary

The executive summary summarizes the findings and observations from the other reports, giving the reader quick understanding of the overall open source licensing and security vulnerability status of the audited software.

Let us help you with your Open Source Due Diligence!