Open Source Compliance Scanner
The ActiveState Platform provides organizations with the capabilities of a number of open source compliance tools, including:
- A software composition analysis tool that provides software Bill Of Materials (BOM)
- Automated open source vulnerability remediation
- Programmatic identification of open source licenses
Open Source Governance
Open source makes up >80% of applications, so it’s important that organizations establish open source governance, which can include policies and guidelines around its use. For example:
- Which open source packages and dependencies are viable for inclusion in a project’s codebase?
- Which open source licenses are approved for use?
- How should Common Vulnerabilities and Exposures (CVEs) be remediated?
The ActiveState Platform is a universal package management solution for Python, Perl and Tcl programming languages that provides organizations with the capabilities of an open source compliance scanner:
- Understand which packages and dependencies are being used by which development teams
- Identify and remediate open source vulnerabilities
- Identify open source licenses used in each project
As a result, managers can centrally establish and maintain open source oversight across their extended enterprise.
Software Bill of Materials
A BOM identifies all the open source packages and dependencies associated with your application, since you can’t manage what you don’t know you have. The BOM is key to identifying at a glance outliers, issues and errors that require further investigation on a per project basis.
The ActiveState Platform provides organizations with the capabilities of an open source compliance scanner. It delivers a comprehensive list of ingredients required to build your application, including:
- The version of the programming language for the project (Python, Perl and Tcl)
- Open source packages from the language’s ecosystem, as well as their dependencies
- Transitive dependencies (ie., dependencies of dependencies)
- Shared libraries (ie., OpenSSL, which is shared across all the platforms you support)
- Operating system (OS)-level dependencies
- Configurations (ie., metadata like version number, open source license, etc)
- A Common Vulnerabilities and Exposures (CVE) report, showing vulnerabilities for each component
A typical BOM might look like the following:
The BOM not only identifies all packages and dependencies, but also which ones have CVEs, as well as links to the National Vulnerability Database that explain each in detail.
Comply with Security Policies
With the escalating number of open source vulnerabilities reported over the past few years, keeping up with open source vulnerabilities has never been more difficult, or more important as cyber-attacks also continue to rise. But the Mean Time To Remediate (MTTR) vulnerabilities is often measured in weeks, if not months.
The ActiveState Platform not only builds all dependencies from source code for Windows, Linux and Mac, ensuring developers start with a secure development environment, but also provides organizations with the capabilities of an open source compliance scanner to help maintain security over time. The ActiveState Platform can help you reduce MTTR by providing:
- Status updates when your Python, Perl or Tcl environment is vulnerable, similar to GitHub
- A PDF report showing the severity level and details for each vulnerability
- The ability to fix and automatically rebuild your environment with secure open source components in minutes, speeding remediation
Because the ActiveState Platform tracks multiple versions of all your components, you can remediate vulnerabilities at the OS, package and dependency level by simply selecting a non-vulnerable version. The ActiveState Platform can save considerable time and effort by automatically rebuilding your environment, ready to be pulled into your CI/CD pipeline for testing.
A list of known vulnerabilities can also be generated using the ActiveState Platform’s command line interface (CLI), the State Tool.
Comply with Licensing Policies
Legal teams implement open source licensing policies to ensure against IP infringement and lawsuits. But identifying the licenses associated with every open source in component in your application can be difficult, since:
- Without a complete open source software bill of materials, you may miss some open source component and their licenses
- Components may have no stated license, increasing the risk of utilizing them
- Components may contain sub-components that have conflicting licenses, making it difficult to understand whether the overall license complies with your policy
The ActiveState Platform can help you mitigate license risk by providing a complete bill of materials, and the licenses associated with them. You can use the ActiveState Platform’s API to programmatically retrieve and identify the licenses associated with every open source component in a project’s codebase, allowing you to automate open source license compliance.
For example, running a license API query on our ActivePython project returns:
Ready to see for yourself? You can try the ActiveState Platform by signing up for a free account using your email or GitHub credentials. Or sign up for a free demo and let us show you how you can implement secure dependency scanning in your organization.
Frequently Asked Questions
An open source scanner, sometimes called an open source compliance scanner or software composition analysis tool, provides organizations with three key reports:
- A software bill of materials for all dependencies
- Open source license(s) per component
- A list of the security vulnerabilities showing the severity level for each open source component
The ActiveState Platform provides all the capabilities of an open source scanning tool for Python, Perl and Tcl projects. Sign up for a free account to try it out, or sign up for a free demo and let us show you how it works.
Open source compliance refers to the fact that most organizations require the open source components they use to conform to certain standards and policies. Typically, organizations measure open source compliance against three principal criteria:
- License – is the open source component suitably licensed for the organization’s purpose?
- Security – does the open source component contain vulnerabilities that conflict with the organization’s security requirements?
- Industry Standards – does the open source component comply with government and industry standards such as PCI-DSS, SOX, FedRAMP, etc.
The ActiveState Platform can provide organizations with the ability to identify the security status and licensing for all Python, Perl and Tcl open source components. To understand how the ActiveState Platform can help you identify security vulnerabilities, read How To Remediate Your Open Source Vulnerabilities Quicker
GPL, or GNU General Public License, is a “copyleft” license that an open source author might attach to their open source software. It comes with a number of permissions and restrictions, including:
- Permission to modify the work, as well as to copy and redistribute the work or any derivative version.
- Permission for inclusion in commercial products
- Inability to impose further restrictions on the rights granted by the GPL
- Programs distributed as pre-compiled binaries must be accompanied by a copy of the source code, a written offer to distribute the source code via the same mechanism as the pre-compiled binary, or the written offer to obtain the source code that the user got when they received the pre-compiled binary under the GPL.
For more information on open source software licenses and their requirements, refer to License to Code: How to Mitigate Open Source License Risks
Organizations employ open source scanning for multiple reasons, but chief among them are:
- Ensure license compliance in order to mitigate the risk of IP lawsuits
- Ensure security by identifying the number and severity level of vulnerabilities
- Create a software bill of materials in order to identify and track all open source components in their applications
Open source software scanners like the ActiveState Platform can be used for these purposes, while letting every stakeholder in the enterprise monitor the risk associated with the open source in use. Sign up for a free account to try out the ActiveState Platform, or sign up for a free demo and let us show you how it works.=