Software Composition Compliance

Modern software development typically consists of combining tens, hundreds or, increasingly frequently, thousands of different components. Most of those components are likely to be open source, but even open source code is subject to complex and subtle licensing requirements, breach of which may be a breach of copyright, patent or contract. There are many hundreds of different open source licences. A breach in relation to even one component can lead to legal claims for damages, an injunction preventing use or distribution of your product, breach of regulatory obligations, or even criminal action.

Any prudent organisation using, developing or deploying software will know the what code they are using, the terms under which they are using it, and will ensure that they are complying with all of those terms.

It’s becoming difficult to maintain this information manually, in spreadsheets, for anything but the simplest of applications. Tooling is becoming increasingly prevalent, both to undertake one-off composition scanning, and to integrate with the development toolchain.

We provide a unique understanding of the tooling available in the marketplace, coupled with specific expertise in both proprietary products like Black Duck Hub, FOSS_ID and Mend.io (formerly WhiteSource), and Open Source tools such as FOSSology and Quartermaster, coupled with deep legal and regulatory expertise.

Our client engagements can be triggered through internal risk analysis, regulator action, rights-holder action, customer due-diligence, tender preparation, or pending M&A or funding/IPO activity.

After an initial compliance exercise, we always recommend adopting and implementing an appropriate set of policies, practices and procedures to manage risk for the organization in the future.

Most of our clients have adopted, or are currently striving towards, the Linux Foundation’s OpenChain Certification programme.

For more information, please contact Andrew Katz on team@orcro.co.uk.