Continuous License Compliance-Analysis

Transcript

1. Automated License Complicance Analysis Navigate : Space / Arrow Keys

   | - Menu | - Fullscreen | - Overview | - Blackout | - Speaker | - Help M F O B S ?  1 / 18

2. Are we legal? Image [ GitPitch @ github/mkoertgen/license.automation ] 

   2 / 18

3. Are we legal? Image [ GitPitch @ github/mkoertgen/license.automation ] 

   3 / 18

4. the cost of open source licensing compliance Proper licensing and

   copyright compliance, implemented as part of the normal QA process, can yield savings of between and 40% and 65%, relative to the potential costs of non- compliance. [ GitPitch @ github/mkoertgen/license.automation ]  4 / 18

5. Some Terminology Software Asset Management (SAM) Software Composition Analysis (SCA)

   [ GitPitch @ github/mkoertgen/license.automation ]  5 / 18

6.  Managing Open Source Licensing Do nothing Developer training and

   project planning Post-dev license analysis and correction Periodic assessment, automated Real-time preventive assistance at developer workstation [ GitPitch @ github/mkoertgen/license.automation ]  6 / 18

7. Types of Software Components Source Code  Dependencies  Services

    [ GitPitch @ github/mkoertgen/license.automation ]  7 / 18

8. Deep Code Scanning Example: Scan for license notice, similar code

   (active research) This file is part of Foobar. Foobar is free software: you can redistribute it and/or modif it under the terms of the GNU General Public License as publi ... [ GitPitch @ github/mkoertgen/license.automation ]  8 / 18

9. Some Code Scanners  nexB/scancode-toolkit AboutCode.Org Ninka [ GitPitch @

   github/mkoertgen/license.automation ]  9 / 18

10. Dependency Scanning  FOSSA pivotal-legacy/LicenseFinder [ GitPitch @ github/mkoertgen/license.automation ]

     10 / 18

11. Demo [ GitPitch @ github/mkoertgen/license.automation ]  11 / 18

12. STEP 1. Deploy license scanner Using git git clone https://github.com/mkoertgen/license.automation.git

    cd license.automation docker-compose up -d [ GitPitch @ github/mkoertgen/license.automation ]  12 / 18

13. STEP 2. Add webhook (Github)  Settings -> Webhook ->

    Add webhook [ GitPitch @ github/mkoertgen/license.automation ]  13 / 18

14. STEP 2. Add webhook (Gitlab)  Settings -> Integration [

    GitPitch @ github/mkoertgen/license.automation ]  14 / 18

15. STEP 3. View dashboard Review licenses in Kibana dashboard [

    GitPitch @ github/mkoertgen/license.automation ]  15 / 18

16. Costs of Licensing Policy Violations $20,000 cost of licensing non-compliance

    discovered in the eld $1,500 cost of licensing non-compliance discovered during QA $40 to x policy violation at developer's workstation [ GitPitch @ github/mkoertgen/license.automation ]  16 / 18

17.  Observations from Analysis Scenarios The larger the project, the

    higher the probability of compliance violations Ignoring licensing compliance can be costly, and it is di cult to put an upper limit on the cost of shipping non-compliant software Corrective analysis, using automated toolsperiodically/during QA reduces overall cost signi cantly [ GitPitch @ github/mkoertgen/license.automation ]  17 / 18

18. Questions? Reach out  @mkoertg  mkoertgen  @marcel.koertgen [

    GitPitch @ github/mkoertgen/license.automation ]  18 / 18