Getting an inventory of your code versus an audit

Black Duck® introduced the concept of managing open source, and the licensing and security risks that come with it, back in 2002. The process and the products have matured over the last two decades. Open source management has now become nearly as commonplace as source code control, whether development shops are using tools such as Black Duck or simply maintaining a spreadsheet of what is in their code.

Automation in software composition analysis (SCA) has made it possible for organizations to stay on top of the ever-increasing amount of open source software being introduced into their products throughout the development life cycle. (Well more than half of a typical product code base is open source.) Including SCA as part of a continuous build and integration process provides managers with direct insight into the license compliance and security profiles of any open source component being incorporated into the build. These tools generally access information found within files that are necessary to build the software and that contain an index or inventory of open source components required by the application. This is a very effective method for open source discovery, as long as the code being analyzed contains these index or inventory files.