Open Source Audits

FossID’s open source audit services help you understand which open source components that reside in the audited software code base, and if it is compliant with the discovered license requirements.

FossID Blind Audits

Due to security and confidentiality concerns surrounding an audit, FossID has implemented a unique ability to perform audits and generate reports without looking at the target source code – a “blind audit”.

Open Source Audits for M&A Transactions and Supply Chain Confidence

The most common use cases are private equity investment players and companies in the process of merging or acquiring another business, both of which are dependent of a technical due diligence to learn about the target company’s assets, liabilities, contracts, benefits, and risks.

Using our own tools, we help customers with open source audits, finding the prevalence of open source components, files, and snippets and identifying their origin and adhering licenses.

Open Source Audits for Maximum Security and Confidentiality

FossID fulfils any security and confidentiality requirements as source code is never exposed to anyone but the rightful owner, not to the acquiring company, nor FossID as the auditing company. FossID doesn’t even need to know the identity of the target company.

No source code exposure

Ensuring maximum security and confidentiality.

No legal hassle

Clean cut, easy process to get the job done.

No touch

Blind audit, done remotely, without ever exposing the source code.

It is a clean cut, without the need for Legal and infrastructure arrangements to be made, for the auditing company to get access to the source code, to upload and transfer it to the auditor’s servers, to perform the audit, and then removing the source code safely and securely.

FossID Blind Audit Reports

The output of an audit service includes several comprehensive reports, giving you full insight into which open source components, files and snippets that reside in the audited code base, together with their origins and licenses.

Open Source Inventory or Bill of Materials (BoM)

The BoM report lists all detected 3rd party open source components, files, and copy-pasted code snippets. Its interactive capabilities facilitate the filtering and reviewing of the audit findings, and the creation of follow-up actions.

Software Package Data Exchange (SPDX)

SPDX is an industry standard format for communicating the components, licenses and copyrights associated with software packages. This report is essentially a software inventory XML file that can be imported into other tools.

Security Vulnerabilities Report (CPE-CVE)

This report lists all detected security vulnerabilities and exposures (CVEs) and corresponding Common Platform Enumerations (CPEs) according to the National Vulnerability Database (NVD) and other sources.

Executive Summary

The executive summary summarizes the findings and observations from the other reports, giving the reader quick understanding of the overall open source licensing and security vulnerability status of the audited software.

Let us help you with your Open Source Due Diligence!