Re: Tracking third-party deployment
We do use SCA tools already, so for a given IP we can see which products’ SBOMs include that IP, and traditional compliance would be confirming that the license of that IP is compatible with the licenses of all other components in the product. But there are other questions we’d like to answer, too, when we see commercial IP turning up in a product’s scan for the first time:
At the moment, answering these questions (and others) is a somewhat painful process, often involving some poor unfortunate going back to the particular commercial agreement and reading through it again to find the necessary details. Life would be considerably simpler if we could look those details up in a database. And, if it were standard desktop software we were using, that would be possible (swidtags, etc., so my colleagues in our corporate IT dept assure me).
Conceivably, we could take something like SW360 and nail a couple dozen custom fields to it, or build a localized database ourselves and use a SW360 external ID reference, but if there are already products – commercial or open source – that anyone can recommend that already handle this, I’d love to know about them.
From: main@... <main@...> On Behalf Of Anant Vishnu via lists.openchainproject.org
Sent: 03 June 2022 14:01
Subject: Re: [openchain] Tracking third-party deployment
Might sound off, but one idea would be to run an SCA tool which is also tuned to capture and segregate license text/copyright notices embedded in the delivered product (more of a syntactic approach – not limited to open source).
I believe Github already has couple of offerings that may assist such as https://github.com/nexB/scancode-toolkit (by nexB) etc.
Might help to set up a scan system for every outbound asset flow so that some form of flag is raised at the onset itself
Apologies if this question is off-topic. I figure it’s OpenChainy, in that it relates to tying outbound software back to inbound software.
As part of our compliance and SBOM processes, we’re identifying not just our own code and open source in a delivered product, but also third-party commercial IP. Such commercial IP typically has a bunch of attributes that don’t apply to open source (license expiry dates, specific licensed users, etc.). There are standard commercial offerings that provide “Software Asset Management” for the stuff you *use* - your MS Words, your internal Oracle dbs, etc. These offerings aren’t really suited for something you *ship* as part of your delivered product – especially, as in our case, where the majority of the products are embedded offerings running in minimal footprint, where something like floating license key usage isn’t part of the product.
I was wondering whether anyone has recommendations for tools or systems that are suitable for tracking the usage and distribution of commercial IP?