Comparison to Alternative Open Source Management Solutions

Open source is free but has to be managed to ensure license compliance, and the quality and security of the chosen open source libraries. Different open source management methods can be suitable for different types of organizations, and even for different projects within a given organization.

download our free guide today – learn how to choose the open source solution that fits your needs!

Following is a feature comparison of the three main approaches:

 

Integrative / AgileScanner-basedManual
Leading toolsWhiteSourceBlackDuck Software, Protecode, Palamida, OpenLogic and othersSpreadsheets & emails
Release history20112002
How it worksUses a plugin to the development environment to automatically identify new open source libraries as soon as they are added to the build processScans source code to find patches of code that are “similar” to recognized open source components.Developers are required to manually research and report open source license information and security vulnerabilities, and to continue to track those for the project lifetime
What is managedEach of your software projectsPeriodical scan of open source repositoriesStatic list of open source components in use
When new libraries are detected and analyzedContinuously, with every buildUsually once per release, since code scanning and the subsequent review of potential matches can be a very heavy processWhen (and if) a developer reports
Deployment setupLightweight SaaS with On-premise optionOn-premiseNA
Integrations with build toolsPlugins to CI and development tools – Maven, Ant, NAnt, Jenkins, Bamboo, TeamCity, TFS, Gradle, and moreUsually performed asynchronouslyUsually none
License detectionWorks by identifying open source libraries. No false positives.Works by scanning source code. Usually detects fully, but with a lot of false positives that need to be reviewedRelies on reporting accuracy. Typical gaps: not reporting dependencies, incorrect incomplete, or outdated license vulnerability info
Alerts on security vulnerabilitiesContinuously matches new security vulnerabilities to always updated open source content of each project, and proactively alerts when a vulnerability is discovered as well as when it is fixedProvided by some vendors, but only if and when scanned. Long time may elapse between discovery of security vulnerability and when it becomes known to product team.No
Proactive alerts on new versionsYesNoNo
Approval workflowYesYesNo
License compliance and policy enforcementYesYesNo
Licensing costsLow yearly subscriptionExpensiveNone
Deployment costsAlmost none if in the cloud (install plugin). Up to 4 hours if on premise.Expensive on premise deployment and integration costsNone
Customization costsMinimal, if at allExpensive and time consuming. Requires expert tuning to reduce false positives.None
Operational costs: ReviewFully automatic. No need for professional services.Expensive and laborious. Must review many false alerts (often thousands)Major but hidden labor costs. Risks due to inaccurate licensing information, inconsistent governance, security vulnerability that go undetected, etc.