Developers usually choose open source components based on their functionality, but companies must consider other aspects like licenses and vulnerabilities.
Therefore, many companies define open source policies to specify what components are acceptable, what can't be used and what requires further review. These policies usually include a white-list and a black-list of open source licenses, a severity threshold for security and quality bugs, a maximum age of components and more.
Due to the frequent use of open source components, enforcing these policies manually usually creates a bottleneck in your development process, so what can you do to avoid this?
Automate your open source policies
By setting up an automated policy, you can reduce the number of new components you need to manually review by 75-90%.
Automating your open source components approval request and review process means you can improve your control over what gets in, speed up your development process as your developers will no longer need to wait for manual approval before adding each component, and save your developers’ time currently invested in placing requests and reviewing components.
Enforce your policies through the software development lifecycle
WhiteSource enables you to enforce your open source policies throughout your software development process.
Using our browser plug-in selection tool, your developers can see if a certain component meets your organization’s policies while searching online in open repositories without even downloading the components. Therefore, WhiteSource enables your developers to make the right choice, the first time, rather than integrating incompatible components only to later find out they need to replace it.
Screenshot of the selection tool with repository
Furthermore, automating your open source policy enforcement helps you gain better control over your open source usage. By pre-defining acceptable parameters, you can be sure that no unacceptable components 'sneak in' to your products.
Once a component is selected and added to your build, WhiteSource will automatically detect it in the next time the build is running, and it will also analyze it against your automated policies.
If the component meets your company's policies, it will be approved. But if it doesn't, it will be rejected. In that case, you’ll either get an email notification explaining the reason for the rejection, or you can even set up rules to fail the build. If a component is neither approved or rejected, an email requesting a manual review will be sent to the relevant contacts that you decide.
Base your policy on different parameters
A policy can be defined based on almost on everything – security vulnerabilities, open source license type, software bugs severity or even the age of a component. You can also setup a policy to check components from a specific vendor, to add attributes to your open source components and create your custom rule.
WhiteSource gives you complete control and visibility over your open source usage throughout your software development lifecycle (SDLC).
Set Up Your Own Open Source Policy Within a Few Minutes:
Automate Your Open Source Policies