Using a Spreadsheet to Manage Open Source Components? There’s a Better Way…

Are you using a spreadsheet to manage the open source components in your software?

There is an easier and better way. Here's why:

1. With a spreadsheet, you have to list all of your open source components by yourself.

Open source libraries use other open source libraries, and so on…

So if you have a list of 100 open source components in your code, there could be 500 open source components that you are using.

It is just impossible to list them all.

2. With a spreadsheet, there’s nothing that stops your developers from adding new open source components, whenever they want to.

Using a spreadsheet means that your team has to report to you every time they add a new open source component.

They may forget. They may not be sure what exactly they added.

And, per (1) above, they cannot discover and report on all the sub-components (there can be tens per a single open source instance that they decided to use).

3. With a spreadsheet, you have no way to quickly decide whether newly added open source components can be used – from technical and legal perspectives.

That means that you may end up with components that you are not allowed to use in your software.

So down the line, you may have to ask a developer to remove a component after he has already integrated it into your software. The result may be a costly loss of effort and frustration. If you are just about to release a new version and cannot find a good enough replacement, this can turn into a small crisis. The crisis may be even bigger if a problematic component is discovered during an important due diligence process…

4. With a spreadsheet, for each component (of the hundreds in your code), you have to constantly check online repositories for bug and vulnerability announcements.

Since the open source components you use are now part of your product, you must track their bugs and security vulnerabilities as if they were in your code.

You have to figure out which of the security vulnerabilities announcements affect open source components that you use, and, when necessary, quickly patch your software with the right fix.

5.      Your CEO, sales team, partners, and customers all expect you to always know what’s in your code and how it can affect your product and their operations.

For all the reasons above, this is impossible when using a spreadsheet.