6. Tool

Source code scanning tool

You should use a source code scanning tool during the identification of open source and audit phase of the open source compliance process. Source code scanning tools range from freely available, open source-based tools to commercial tools, each with their own strengths and weaknesses, but none of them seem to provide complete functionality to solve all problems. Therefore, companies can choose the appropriate tool for the characteristics and requirements of the product.

Many companies use a combination of these automated source code scanning tools and manual reviews. Linux Foundation’s FOSSology project is an open source source code scanning tool that companies can use for free.

https://www.fossology.org/

For instructions on how to install and use FOSSology, refer to Get Started.

Dependency analysis tool

In recent software development, build environments that support Package Manager such as Gradle and Maven are used. In such a build environment, even if there is no source code, the required dependency library at build time is received from the remote to compose the supplied software. At this time, the dependency library is included in the supplied software, but it is not detected by the source code scanning tool. Therefore, it is also important to utilize a tool for dependency analysis.

The OSS Review Toolkit provides a dependency analysis tool called Analyzer.

https://github.com/oss-review-toolkit/ort#analyzer

LG Electronics has released FOSSLight Dependency Scanner as an open source. FOSSLight Dependency Scanner supports various package managers such as Gradle, Maven, NPM, PIP, Pub, and Cocoapods.

https://fosslight.org/ko/scanner/

Open Source BOM Management Tool

3.3.1.2 of the ISO/IEC 5230 standard requires that the open source BOM list included in the supplied software be documented and kept. The open source BOM can also be managed with a spreadsheet program such as Excel. However, if the number and version of supplied software exceed hundreds, it is not easy to manage them manually. Therefore, it is better to use an automated tool to manage it.

SW360, an open source project hosted by the Eclipse Foundation, provides a function to track the list of open source BOM included in the supplied software.

How to install and use SW360 is SW360 wiki

And FOSSLight, an open source released by LG Electronics mentioned above, also provides a function for open source BOM management.

https://fosslight.org/fosslight-guide/started/2_try/4_project.html

LG Electronics developed FOSSLight on its own and has been managing the open source BOM for supplied software for all business divisions for the past several years, and in June 2021, it announced that it had been released as an open source for anyone to use.

For detailed installation and usage instructions, refer to the following English guide. : https://fosslight.org/fosslight-guide-en/

https://fosslight.org/fosslight/

If you have the above tools, you can prepare the following evidence required by ISO/IEC 5230.

Create artifacts

It is better to use a tool that automatically generates an open source notice, which is an open source compliance product, rather than writing it manually.

You can automatically generate an open source notice by registering an open source BOM using the FOSSLight tool. The open source disclaimer generated by FOSSLight also includes a Written Offer to provide source code.

https://fosslight.org/fosslight-guide/started/2_try/4_project.html

In addition, SK Telecom is planning to release the open source automatic notice generation tool used in-house.

Archive open source artifacts

It is recommended that companies create an open source website and register open source compliance artifacts to provide convenience so that external customers can download open source notices and source code packages to be disclosed at any time.

You can refer to SK Telecom’s open source website.

https://sktelecom.github.io/compliance/

In particular, this website was developed as an open source, and since the source code is open, you can easily build a website by referring to it.

https://github.com/sktelecom/sktelecom.github.io

If you build a tool environment like this, you can prepare the following evidence required by ISO/IEC 5230.

If you build the tool environment in this way, you will comply with the ISO/IEC 5230 requirements as follows.

Last modified December 12, 2021: correct typo (7d44531a5)