Scanning tools can also help users understand what version the code is at and what license is enforced for that code so that they can tie it into their policies and products for compliance, according to Weinberg.
Then, you need some way to track the open-source code, according to McLoughlin. Tools can provide inventory tracking of open source to manage the approval process. “If you are letting your developers just bring open source into your products, and you are not tracking them, then you are not putting a process in place that lets you know if there are known vulnerabilities that could affect you from the beginning,” he said.
In addition, static code analysis tools can help find bugs and ensure code quality.
Lastly, the Linux Foundation recommends a linguistic review tool that can look for any comments about the source code or future products.
“Even if you are not that concerned about your own code, you should be concerned about any code that you acquire,” said McLoughlin. “There is practically no software company that’s acquired technology that doesn’t want to know and have a comprehensive list of open source and licenses in the technology that they are acquiring.”
A breakdown of the typical software portfolio
Protecode recently released an infographic highlighting the importance of understanding the open-source content in a code portfolio. According to Koohgoli, many organizations worry about accidentally including copyleft licenses in their code—for instance the GNU Public License (GPL).
“Inclusion of GPL code in a company portfolio can force the company to open their entire codebase to the public, which could be commercially undesirable,” he said.
According to the infographic, which was made up of consolidated findings from an audit of more than a million software files belonging to more than a hundred technology companies, GPL code exists in almost all the portfolios.
The infographic also stressed the importance of providing header information in proprietary files, which a majority of small portfolios don’t include.