Maybe the request will come from your CEO, following a request from the board of directors; or maybe it will come from a large account needing to validate the originality of its software supply chain; or perhaps the request will come from your legal team trying to produce a certificate for the company’s intellectual property.
But, one day, you will be asked to provide an open source inventory report, a detailed list of your open source components bill of materials (BoM) in your code, including all dependencies and affiliated licenses.
If you’re currently tracking your open source usage manually, via spreadsheets and emails; or semi-manually, with a ticketing software, this is probably causing a lot of headaches. Even if your team is succeeding to keep accurate track of your open source components and licenses this way, tracking your components’ dependencies (direct and transitive), and each ones’ respective license, is almost impossible.
You could leave it to code scanning, and give your manual tracking a “final check” before the finish line, but this solution has proved itself to be very expensive and time-consuming. It produces multiple false-positives and a lot of overhead for developers sifting through reports post-scan. It requires that developers halt development in a critical time. It brings exposure to your proprietary code. It’s not a preventative solution, so you can introduce problematic components in post-scan corrections without being aware of it. It’s also temporary and doesn’t help with bugs or problems that are reported by the open source community post-release.
WhiteSource constantly and automatically detects all open source components in your code and cross-references them against a continuously updated database of over 3,000,000 open source libraries, so that you are notified immediately if an issue arises in one of the open source libraries from which you have drawn. It also analyzes all your open source components against your automated policies to make sure they all comply with your company’s policies.
With WhiteSource, a complete, 100% accurate, up-to-the-minute updated inventory is available in one click. You can generate an inventory report that details, in real-time, all of your open source components, their origin libraries, dependencies, licenses, occurrence locations throughout your build, and any relevant new versions, security vulnerabilities, or compliance requirements.