On our GitHub: "Formal statement format for project with no OSS BOM"
dineshr93: "Is there a formal statement to give to customers for the projects which has no OSS components.?
we cannot give confirmation that no OSS is being used because we cannot ensure 100% accuracy since there is always limitations to the tools. So we need come up with a statement which sets the tools limitations in place & also state that no OSS evidence has been found after performing the so & so scan.
I wanted to know does there are any statements already in place in Open chain. I searched here https://github.com/OpenChain-Project/Reference-Material but I did not find anything related to it.”
My initial reply:
We do not provide a single "source of truth" statement for such a matter. It is really up to the in-house procurement and legal times.
Conceptually, it might be something like this:
The supplier confirms that the provided software has been audited and confirms that it contains no components under open source licenses."