Re: Tracking third-party deployment

Shurjeel Tousif

Hi Steve,


We have a preconfigured scanner that handles commercial IP but its not opensource (atleast not yet 😊)..

A database created for commercial IP with information (especially info/metadata on commercial binaries) is quite challenging to store – and each vendors has different commercial ts&cs associated which adds to the challenge.

We started the use of macros in Excel to manage this info by connecting the spreadsheet to various sources (software/db) available within each company and then running additional analysis on that list.

Perhaps we can connect in a call to discuss this if this seems more important at this stage than OSS scan tooling.





Shurjeel Tousif

SeQuenX BV
De Hooghkamer | Mozartlaan 9, 2215 LS, Voorhout, NL
T +31 63 073 4464  | E shurjeel.tousif@... | M +31 63 073 4464| W


From: main@... <main@...> On Behalf Of Steve Kilbane via
Sent: Friday, June 3, 2022 3:25 PM
To: main@...
Subject: Re: [openchain] Tracking third-party deployment


Hi Ananth,


We do use SCA tools already, so for a given IP we can see which products’ SBOMs include that IP, and traditional compliance would be confirming that the license of that IP is compatible with the licenses of all other components in the product. But there are other questions we’d like to answer, too, when we see commercial IP turning up in a product’s scan for the first time:

  • When does our license to use this IP expire? Has it expired already?
  • Is the developer (or dev team) building this product one of those to whom the IP is licensed?
  • Is the product being built for the platform for which the IP is licensed? E.g. Windows vs Linux vs iOS vs Android.
  • Who in our org is the contact point with the vendor, for this IP?
  • For an IP which is dual-licensed,  is this a use under the open source license or the commercial license?

At the moment, answering these questions (and others) is a somewhat painful process, often involving some poor unfortunate going back to the particular commercial agreement and reading through it again to find the necessary details. Life would be considerably simpler if we could look those details up in a database. And, if it were standard desktop software we were using, that would be possible (swidtags, etc., so my colleagues in our corporate IT dept assure me).


Conceivably, we could take something like SW360 and nail a couple dozen custom fields to it, or build a localized database ourselves and use a SW360 external ID reference, but if there are already products – commercial or open source – that anyone can recommend that already handle this, I’d love to know about them.




From: main@... <main@...> On Behalf Of Anant Vishnu via
Sent: 03 June 2022 14:01
To: main@...
Subject: Re: [openchain] Tracking third-party deployment




Hi Steve,


Might sound off, but one idea would be to run an SCA tool which is also tuned to capture and segregate license text/copyright notices embedded in the delivered product (more of a syntactic approach – not limited to open source).


I believe Github already has couple of offerings that may assist such as (by nexB) etc.

Might help to set up a scan system for every outbound asset flow so that some form of flag is raised at the onset itself







From: main@... <main@...> On Behalf Of Steve Kilbane
Sent: Friday, June 3, 2022 3:55 PM
To: main@...
Subject: [openchain] Tracking third-party deployment



Hi all,


Apologies if this question is off-topic. I figure it’s OpenChainy, in that it relates to tying outbound software back to inbound software.


As part of our compliance and SBOM processes, we’re identifying not just our own  code and open source in a delivered product, but also third-party commercial IP. Such commercial IP typically has a bunch of attributes that don’t apply to open source (license expiry dates, specific licensed users, etc.). There are standard commercial offerings that provide “Software Asset Management” for the stuff you *use* - your MS Words, your internal Oracle dbs, etc. These offerings aren’t really suited for something you *ship* as part of your delivered product – especially, as in our case, where the majority of the products are embedded offerings running in minimal footprint, where something like floating license key usage isn’t part of the product.


I was wondering whether anyone has recommendations for tools or systems that are suitable for tracking the usage and distribution of commercial IP?






Join to automatically receive all group messages.