Next Steps
InstallAnywhere 2021
When you have viewed the FlexNet Code Aware report, you might have questions such as the following:
|
•
|
Whom should I work with to resolve these issues? |
|
•
|
I had no idea that so much open source code is packaged in our application. Where can I learn to use this code in accordance with its license? |
Revenera has helped hundreds of customers start managing open source software, and they can help you as well.
Although many of the packages that were detected might be under P2 licenses, cases exist in which license obligations can be triggered that would make the license a P1 equivalent, depending on how you use (link, modify, and distribute) the open source software. Review these results with your legal team to ensure that you are compliant with both your corporate policies and the open-source licenses.
As a next step, consider having an internal conversation with your engineering, legal, and security teams. To facilitate such a conversation, start with the following open-source compliance questions:
|
•
|
Do we have an open-source usage policy? |
|
•
|
Do we have a list of all the open-source and commercial libraries we are using? |
|
•
|
If we have such a list, how recent is it? |
|
•
|
Does this list include all libraries brought in through repository managers such as Maven, Ruby Gems, and npm (node package manager)? |
|
•
|
Do we have a list of all the web services we depend on (for example, credit card processors and stock price lookup)? |
|
•
|
Do we have an open-source disclosure from our commercial suppliers? |
|
•
|
Are we minifying (removing unneeded characters from) our JavaScript? Where are the originals kept? Do we preserve copyright and license statements? |
|
•
|
Do we have a policy for the proper use and attribution of code-snippet cut and pastes? |
|
•
|
Do we publish the component and license disclosures as required by our open source libraries? |
|
•
|
Do we send all required license and notice files as required by our open source libraries? |
|
•
|
Could we quickly comply with a request for our GPL/LGPL source code? |
|
•
|
Do we check our open source libraries for known vulnerabilities on the National Vulnerability Database? |
For Deep Scans, Check Out FlexNet Code Insight
To further reduce your open source software license compliance and security vulnerability risk, consider expanding the scope of analysis to include all the files in your codebase (source, binaries, media and others) with FlexNet Code Insight.
For more information, visit the following site:
https://www.revenera.com/protect/products/flexnet-code-aware.html
For FlexNet Code Insight purchase options, contact your sales representative.