Open Source Audits
FossID’s open source audit services help you understand which open source components that reside in the audited software code base, and if it is compliant with the discovered license requirements.
FossID Blind Audits
Due to security and confidentiality concerns surrounding an audit, FossID has implemented a unique ability to perform audits and generate reports without looking at the target source code – a “blind audit”.
A first conference call takes place to kick start the project, introduce contact persons from all parties and communicate relevant details of the audit such as timeline, custom reports, etc.
FOSSID’s Command Line Interface (CLI) is sent to the target company along with installation and execution instructions to collect digital signatures (fingerprints) of their software.
Collection Of Digital Signatures
The collection of digital signatures cannot be reverse engineered to the original source code, but is enough for FOSSID to perform the audit.
The collection of digital signatures is transferred securely over SSH to a dedicated server in FOSSID’s own datacenter.
Knowledge Base Comparison
The collection of digital signatures is used to search the biggest open source database in the industry and find matches to open source files and snippets.
FOSSID compliance engineers audit the target software without having access to the actual source thanks to FOSSID’s Zero false-positives technology.
Once the audit is concluded, all reports are sent to the target company for approval before they are shared with the potential buyer.
After the approval, the final reports are transferred securely to the potential buyer, including the Bill of Materials, SPDX, executive summary and more.
Another conference call takes place to present the audit results and answer any question that might have arisen from the reports.
Open Source Audits for M&A Transactions and Supply Chain Confidence
The most common use cases are private equity investment players and companies in the process of merging or acquiring another business, both of which are dependent of a technical due diligence to learn about the target company’s assets, liabilities, contracts, benefits, and risks.
Using our own tools, we help customers with open source audits, finding the prevalence of open source components, files, and snippets and identifying their origin and adhering licenses.
Open Source Audits for Maximum Security and Confidentiality
FossID fulfils any security and confidentiality requirements as source code is never exposed to anyone but the rightful owner, not to the acquiring company, nor FossID as the auditing company. FossID doesn’t even need to know the identity of the target company.
No source code exposure
Ensuring maximum security and confidentiality.
No legal hassle
Clean cut, easy process to get the job done.
Blind audit, done remotely, without ever exposing the source code.
It is a clean cut, without the need for Legal and infrastructure arrangements to be made, for the auditing company to get access to the source code, to upload and transfer it to the auditor’s servers, to perform the audit, and then removing the source code safely and securely.
FossID Blind Audit Reports
The output of an audit service includes several comprehensive reports, giving you full insight into which open source components, files and snippets that reside in the audited code base, together with their origins and licenses.
Open Source Inventory or Bill of Materials (BoM)
The BoM report lists all detected 3rd party open source components, files, and copy-pasted code snippets. Its interactive capabilities facilitate the filtering and reviewing of the audit findings, and the creation of follow-up actions.
Software Package Data Exchange (SPDX)
SPDX is an industry standard format for communicating the components, licenses and copyrights associated with software packages. This report is essentially a software inventory XML file that can be imported into other tools.
Security Vulnerabilities Report (CPE-CVE)
This report lists all detected security vulnerabilities and exposures (CVEs) and corresponding Common Platform Enumerations (CPEs) according to the National Vulnerability Database (NVD) and other sources.
The executive summary summarizes the findings and observations from the other reports, giving the reader quick understanding of the overall open source licensing and security vulnerability status of the audited software.