Open Source Audits
FOSSID’s open source audit services help you understand which open source components that reside in the audited software code base, and if it is compliant with the discovered license requirements.
FOSSID Blind Audits
Due to security concerns surrounding M&A transactions, we have designed and implemented the ability to perform audits and generate reports without looking at the target source code. This is commonly referred to as a “blind audit” (as opposed to traditional and do-it-yourself audits).
A first conference call takes place to kick start the project, introduce contact persons from all parties and communicate relevant details of the audit such as timeline, custom reports, etc.
FOSSID’s Command Line Interface (CLI) is sent to the target company along with installation and execution instructions to collect digital signatures (fingerprints) of their software.
Collection Of Digital Signatures
The collection of digital signatures cannot be reverse engineered to the original source code, but is enough for FOSSID to perform the audit.
The collection of digital signatures is transferred securely over SSH to a dedicated server in FOSSID’s own datacenter.
Knowledge Base Comparison
The collection of digital signatures is used to search the biggest open source database in the industry and find matches to open source files and snippets.
FOSSID compliance engineers audit the target software without having access to the actual source thanks to FOSSID’s Zero false-positives technology.
Once the audit is concluded, all reports are sent to the target company for approval before they are shared with the potential buyer.
After the approval, the final reports are transferred securely to the potential buyer, including the Bill of Materials, SPDX, executive summary and more.
Another conference call takes place to present the audit results and answer any question that might have arisen from the reports.
FOSSID Blind Audit Reports
The output of an audit service includes several comprehensive reports, giving you full insight into which open source components, files and snippets that reside in the audited code base, together with their origins and licenses.
Open Source Inventory or Bill of Materials (BoM)
The BoM report lists all detected 3rd party open source components, files, and copy-pasted code snippets. Its interactive capabilities facilitate the filtering and reviewing of the audit findings, and the creation of follow-up actions.
Software Package Data Exchange (SPDX)
SPDX is an industry standard format for communicating the components, licenses and copyrights associated with software packages. This report is essentially a software inventory XML file that can be imported into other tools.
Security Vulnerabilities Report (CPE-CVE)
This report lists all detected security vulnerabilities and exposures (CVEs) and corresponding Common Platform Enumerations (CPEs) according to the National Vulnerability Database (NVD) and other sources.
The executive summary summarizes the findings and observations from the other reports, giving the reader quick understanding of the overall open source licensing and security vulnerability status of the audited software.