Hello, and welcome. My name is Thomas, and I’m the director of North America operations at FossID.
In this video, I’m going to introduce you to FossID’s detection capabilities for undeclared open source. Undeclared open source refers to open source that makes its way into your codebase without the use of a package manager such as Maven, NPM, or PIP. This means FossID can find open-source components that were downloaded and modified for use in an application, snippets of open-source components that were copy-pasted from GitHub or websites like Stack Overflow, and even compiled binaries that were downloaded and manually committed into your file tree. This ability to detect undeclared open source is at the heart of the products and services FossID offers to help organizations with various open-source license compliance needs.
Let’s get started.
For today’s demonstration, I’m using the Quick View tool in FossID Workbench as it will let me show you these detection capabilities without creating a project or scan.
First, I will upload the code to scan. In this case, this is an archive containing a mix of various different projects. Once it uploads, FossID decompresses the archive and scans the files, looking for matches to the FossID knowledge base.
Now that the scan is finished, I’ll enable the source code only filter and navigate the file tree, checking if any of the files contain matches to the FossID knowledge Base.
To investigate a match, I can click on the match to see a side-by-side view of my code on the left with what was matched by FossID on the right. If I decide this warrants additional investigation, I can navigate to the match source in order to investigate.
Now earlier I mentioned we can also find snippets of copy-pasted code. Any files containing portions that match a file in the FossID Knowledge Base will have partial matches. Let’s see an example.
Just like before, by clicking on the match, I can see what is in my code on the left versus what it was matched to on the right within the FossID knowledge trace. We can see that this is a copy-pasted code snippet from this repository.
Just like before, if I wanted to investigate deeper by navigating directly to the source, I can do so from the GitHub link within the match view panel.
Now here in the Quick View, I can only explore the matches. Where I am working in a scan or a project, I would then assign the appropriate component or license to the file or snippet to add it to my software’s component list for attribution and reporting. I hope that you found this overview of FossID’s detection of undeclared open source informative.
When working in a scan within a project, you will also analyze your package manager manifest to ensure that your Software Bill of Materials and any other reports you produce contain both your undeclared and your declared open source components.
Additionally, while today’s demo focused on open source matching, you can teach FossID Workbench how to identify commercial and proprietary libraries that you use in your software to ensure that any SBOM that you create from FossID contains both your open source as well as your commercial and proprietary components.
From all of us at FossID, thank you for taking the time to watch today. To learn more about the other capabilities in the FossID Workbench or the other products and services we offer, reach out via the Contact Us form. Thank you.