Software Provenance Analysis Acquisition Due DiligenceCopyright 2018 nexB Inc.
Agenda About nexB– What nexB does– Our experience Software Audit Due Diligence– Software Audit Process– Software Audit Tools & Techniques– Lessons Learned Why nexBCopyright 2018 nexB Inc.
About nexBWhat nexB doesOSS Compliance Tools DejaCode governanceapplication (Cloud) AboutCode Tools Software audit services Software products AcquisitionsFor developersLicensed as OSSExpertise in all languagesActive OSS developers Copyright 2018 nexB Inc.https://github.com/nexBGoogle Summer of CodeClearlyDefinedSPDX
About nexBWhy Software Acquisition Due Diligence Modern software contains on average more than 75%open source software (OSS) As a buyer of software assets, you need to know:– What specific open source components are used and how?– Is their any Copyleft-licensed code? and exactly how does itinteract with proprietary code?– What will be your OSS compliance obligations? and how well doesthe current product comply? In summary, what are the risks that come with the rewardsof using open sourceCopyright 2018 nexB Inc.
About nexBnexB Role in Due Diligence Expertise in:– Software provenance (license and origin) analysis– Open source governance and compliance– All software languages and platforms Trusted third party– Mitigates confidentiality concerns of a seller company– Maintains proper segregation of information during acquisitionnegotiations– Enables objective analysis with appropriate consideration offeedback from all partiesCopyright 2018 nexB Inc.
Software Analysis ScopeSoftware Analysis ScopeOriginalThird PartyOpen SourceModern software products comprise 70% or more open sourceor third- party componentsCopyright 2018 nexB Inc.
Software Analysis ScopeSoftware Analysis OptionsDepending on your schedule and priorities1/ Copyleft & Commercial issues– Focus only on copyleft and commercial code2/ Deployed Bill of Materials (BOM) only– Focus on what code is actually visible to a customer3/ Deployed BOM only with Development codebase details– BOM of Development codebase components that are Deployed onthe product4/ Development Codebase Inventory– Inventory of Development codebase components– Details for Deployed components– Summary for non-DeployedCopyright 2018 nexB Inc.
Software Analysis ScopeSoftware Analysis Deliverables Specific Action items and recommended actions forresolution that can be factored into the deal terms– Including possible exposure for older product versions– Detailed analysis for copyleft “contamination” Checklist of commercial components as input to duediligence for contract review Analysis of how much code is original versus open source(OSS) or third-party (Commercial)Copyright 2018 nexB Inc.
Software Analysis ProcessPreparation – up to 1 week Establish NDA with seller– Two-way or three-way Scope audit effort– Audit profile (questionnaire)– Size of code base - # files and lines of source code– Disclosure of known third-party and open source software– Onsite or remote access to the code Prepare/agree quote – fixed fee, no surprisesSchedule projectCopyright 2018 nexB Inc.
Software Analysis ProcessPreparation Many targets are anxious about the process– General level of anxiety is inversely proportional to prior M&Aexperience of executives– We do some hand holding to make them feel comfortable– Assure seller that they review all findings first so no surprises– Explain the process and tools to the sellerCopyright 2018 nexB Inc.
Software Analysis ProcessAnalysis – up to 2 weeksActivities Scan codebases – Development andDeployment/Distribution Identify (conclude) open source and third-party packagescomponents– Create software inventory for Development codebase(s)– Trace Deployment/Distribution components to Development– Create software BOMs for Deployment/Distribution package(s) Identify issues:– Analyze software interaction and dependency patterns for copyleftlicensed components as needed– Additional domain-specific investigations may be needed– Recommend mitigation / remediation ActionsCopyright 2018 nexB Inc.
Software Analysis ProcessAnalysisResults Software Inventory and Bill(s) of Materials Draft Issues and ActionsCopyright 2018 nexB Inc.
Software Analysis ProcessReview & Report – 1 weekActivities Review draft findings with product team– Ask product team to respond to each Issue Accept recommended solution or propose another approach Acknowledge & investigate Not a request to fix anything during the audit– Incorporate feedback and answers from product team into theSoftware BOM(s) and Report– We may “agree to disagree” – e.g. we then present two points ofview: ours and the seller’s. Complete final report– Second review cycle with product team– Release the report– Conference call with buyer to present findings & answer questionsCopyright 2018 nexB Inc.
Software Analysis ProcessReview & ReportResults Final Software Inventory / BOMs spreadsheets Final Report - narrative with executive summary, projectdata and summary of Issues and ActionsCopyright 2018 nexB Inc.
Software Analysis ToolsTools We use tools from our own AboutCode project– ScanCode Toolkit - to scan code files for license, copyright andother provenance data.– AboutCode Manager - to review scan results and record licenseand copyright/owner conclusions.– AboutCode Toolkit - to document/track component license data inyour codebase(s) and generate attribution notices.– TraceCode Toolkit - to identify deployed/distributed componentsbased on tracing a product build from source to end-product. AboutCode is a nexB-sponsored open source project– Set of tools based on integrated AboutCode Data Model andindustry standards – e.g. SPDX– Get the code from https://github.com/nexBCopyright 2018 nexB Inc.
Software Analysis TechniquesTechniques Multiple layers of analysis– Discovery: direct scan for license and copyright notices– Identification: component matching for open source and publiclyavailable third-party components (freeware/proprietary)– Trace binaries back to source– Interaction and dependency analysis as needed Many utilities / tools are for specific languages / platforms– RPM and other package metadata– Docker containers Review and conclusion by software experts All require expert humans to interpret the results!Copyright 2018 nexB Inc.
Additional InformationLessons Learned – Acquisitions Schedule is always a major issue Initiate a software audit early because– Seller company will probably not have done this before– Negotiation of an NDA takes longer than you expect– Negotiation of access to artifacts and people takes longer than youthink The review of findings and recommendations may requireseveral iterations with target company– Get answers for open issues– Get agreement about remediation strategies– Get agreement that report is objective and reasonableCopyright 2018 nexB Inc.
Additional InformationLessons Learned – Acquisitions Identify the “crown jewels” and key platforms of the sellertechnology– Concentrate the audit on the most important parts– For products with multiple operating system versions, focus on themost important platforms Some issues can be specific to the open source policies ofthe Buyer– For instance tolerance for certain version of open source licensesor proprietary Linux drivers varies among companies– We apply Buyer company policies if available,– Otherwise we apply “conservative” community standards– Exceptional cases may require additional discussion with legal andand business teams to evaluate the risksCopyright 2018 nexB Inc.
Why nexB We analyze Deployment/Distribution code so that you havereal Software BOMs, not just an inventory We identify issues along with practical remediation actions 350 software audit projects completed to-dateCopyright 2018 nexB Inc.
Contact usContact person:Michael [email protected] 1 650 380 0680More /nexBCopyright 2018 nexB Inc.
Scope audit effort – Audit profile (questionnaire) – Size of code base - # files and lines of source code – Disclosure of known third-party and open source software – Onsite or remote access to the code Prepare/agree quote – fixed fee, no surprises Sche