Home > Solutions > Software Supply Chain Security > Open Source Compliance Scanner
Open Source Compliance Scanner
The ActiveState Platform provides organizations with the capabilities of a number of open source compliance tools, including:
- A software composition analysis tool that provides software Bill Of Materials (BOM)
- Automated open source vulnerability remediation
- Programmatic identification of open source licenses
Open Source Governance
Open source makes up >80% of applications, so it’s important that organizations establish open source governance, which can include policies and guidelines around its use. For example:- Which open source packages and dependencies are viable for inclusion in a project’s codebase?
- Which open source licenses are approved for use?
- How should Common Vulnerabilities and Exposures (CVEs) be remediated?
- Understand which packages and dependencies are being used by which development teams
- Identify and remediate open source vulnerabilities
- Identify open source licenses used in each project
Software Bill of Materials
A BOM identifies all the open source packages and dependencies associated with your application, since you can’t manage what you don’t know you have. The BOM is key to identifying at a glance outliers, issues and errors that require further investigation on a per project basis. The ActiveState Platform provides organizations with the capabilities of an open source compliance scanner. It delivers a comprehensive list of ingredients required to build your application, including:- The version of the programming language for the project (Python, Perl and Tcl)
- Open source packages from the language’s ecosystem, as well as their dependencies
- Transitive dependencies (ie., dependencies of dependencies)
- Shared libraries (ie., OpenSSL, which is shared across all the platforms you support)
- Operating system (OS)-level dependencies
- Configurations (ie., metadata like version number, open source license, etc)
- A Common Vulnerabilities and Exposures (CVE) report, showing vulnerabilities for each component
Comply with Security Policies
With the escalating number of open source vulnerabilities reported over the past few years, keeping up with open source vulnerabilities has never been more difficult, or more important as cyber-attacks also continue to rise. But the Mean Time To Remediate (MTTR) vulnerabilities is often measured in weeks, if not months. The ActiveState Platform not only builds all dependencies from source code for Windows, Linux and Mac, ensuring developers start with a secure development environment, but also provides organizations with the capabilities of an open source compliance scanner to help maintain security over time. The ActiveState Platform can help you reduce MTTR by providing:- Status updates when your Python, Perl or Tcl environment is vulnerable, similar to GitHub
- A PDF report showing the severity level and details for each vulnerability
- The ability to fix and automatically rebuild your environment with secure open source components in minutes, speeding remediation
Comply with Licensing Policies
Legal teams implement open source licensing policies to ensure against IP infringement and lawsuits. But identifying the licenses associated with every open source in component in your application can be difficult, since:- Without a complete open source software bill of materials, you may miss some open source component and their licenses
- Components may have no stated license, increasing the risk of utilizing them
- Components may contain sub-components that have conflicting licenses, making it difficult to understand whether the overall license complies with your policy
Frequently Asked Questions
What is open source scanning?
An open source scanner, sometimes called an open source compliance scanner or software composition analysis tool, provides organizations with three key reports:
- A software bill of materials for all dependencies
- Open source license(s) per component
- A list of the security vulnerabilities showing the severity level for each open source component
What is Open Source Compliance?
Open source compliance refers to the fact that most organizations require the open source components they use to conform to certain standards and policies. Typically, organizations measure open source compliance against three principal criteria:
- License – is the open source component suitably licensed for the organization’s purpose?
- Security – does the open source component contain vulnerabilities that conflict with the organization’s security requirements?
- Industry Standards – does the open source component comply with government and industry standards such as PCI-DSS, SOX, FedRAMP, etc.
What is a GPL License?
GPL, or GNU General Public License, is a “copyleft” license that an open source author might attach to their open source software. It comes with a number of permissions and restrictions, including:
- Permission to modify the work, as well as to copy and redistribute the work or any derivative version.
- Permission for inclusion in commercial products
- Inability to impose further restrictions on the rights granted by the GPL
- Programs distributed as pre-compiled binaries must be accompanied by a copy of the source code, a written offer to distribute the source code via the same mechanism as the pre-compiled binary, or the written offer to obtain the source code that the user got when they received the pre-compiled binary under the GPL.
What are the benefits of open source scanning?
Organizations employ open source scanning for multiple reasons, but chief among them are:
- Ensure license compliance in order to mitigate the risk of IP lawsuits
- Ensure security by identifying the number and severity level of vulnerabilities
- Create a software bill of materials in order to identify and track all open source components in their applications
Ready to Get Started?
Build your Python, Perl, Ruby, and Tcl dependencies from source and get a secure and easy-to-share project.
Join Our Mailing List
Products
Menu
Product Updates
Menu
Supported Languages
Menu
Resources
Menu
Quick Links
Menu
Our Advantages
Menu
Solutions
Menu
Use Cases
Menu
Dependency Management
Menu
Beyond End of Life Support
Menu
Governance and Regulations
Menu
Pricing
Menu
Company
Menu
Support
Menu
© 2024 ActiveState Software Inc. All rights reserved. ActiveState®, ActivePerl®, ActiveTcl®, ActivePython®, Komodo®, ActiveGo™, ActiveRuby™, ActiveNode™, ActiveLua™, and The Open Source Languages Company™ are all trademarks of ActiveState.