TrustSource consists of several components. The core (TS-Core) is a UI-module, which implements an OpenChain-conform compliance process involving the typical roles (s. Role Model). It covers the handling of the following features:

  • Manage projecty and modules,
  • Initiate and monitor progress of tickets (e.g. to your Jira/TFS)
  • Support management of vulnerabilities, versions and releases
  • Organize black-/ & whitelists, allow whitelist enforcement for very critical projects
  • Display analysis results (legal obligations, vulnerability status, etc.)
  • Provide reports such as:
    • Bill of materials
    • Vulnerability impact analysis
    • Used licenses
    • Legal obligations (Portfolio/Project/Modul)
    • OS policy awareness and distribution analysis
  • Initiate and followup approvals
  • Propagate policies

Besides this core application, several specialised services support the core:

  • CodeScanner – many language specific – themselves availabe as open source – to integrate the scanning with your CI/CD-chain, allowing to determine applied components (transitive). Most are able to use the analysis feedback to break builds or at least issue warnings
  • LegalCheck-Service – exter system, determining the legal obligations resulting from the applied licenses in the project/module/component context including IP protection requirements, architectural position, distribution or selected commercial regime.
  • DeepScan-Service – Scanning of repositories to identify hidden licenses (effective vs. declared) and copyright/author information of third party components
  • SPDXTransform-Service – Imports, exports and transforms SPDX files
  • Anaysis-Service – Uses the LegalCheck-Service in combination with project settings and scanner findings to determine the legal situation of the current build and outline project/module status in traffic light colors
  • NoticeFileGenerator-Service – Automatically derives based on analysis results and manual interactions a complete notice file including the written offer as well legal documentation and points Compliance managers to missing data to finalize documentation.
  • VulnerabilityAlert-Service – Alarms project managers whenever new vulnerabilities are identified in any of the used components; But not only within the current code, also former versions will be reported.
  • ComponentRepository – Our central component repository is the base for all information. Built on the remains of VersionEye, the pool meanwhile comprises of >18 Mil. components and >450 Mil dependencies
  • VulnerabilityLake (starting in v2.0)- An API-based directory of all existing Vulnerability information conatining curated content from several sources

In addition to this TrustSource provides since launch of v1.9 (Q3/2019) also a Medical-Edition that allows  MDD-compliant COTS Management as well as the automated generation of an IEC-conform SOUP-list from the automatically determined bill of materials.


to try
  • 1 month free access (all features)
  • just register and start getting compliant!
  • We will contact you, to clarify the rest


for companies
2.499.- EUR monthly
  • Common SaaS subscription
  • Standard service levels & support
  • 100.000 Transactions per month


for conglomerates
tbdIndividual agreement
  • LDAP integration / Identity Management
  • multi-company user with several roles
  • Individual service levels and terms


for MDD compliance
1.999.-EUR monthly
  • optional package for medical features
  • COTS components management
  • Generator for IEC compliant SOUP-lists

For customers with less demand, we surrently are working on a new pure transactional model. If your would be interested in such a model, please contact our support.

To determine the most suitable option for you, do not hesitate our friendly and helpful support team!

We offer special discounts to public services, universities and OpenSource projects. Please get in touch with our sales team to learn more about this option.

A tool can only be part of the solution - Compliance is a process!

TrustSource offers a comprehensive set of tools and process support, automating or at least simplifying many tasks as well as the corporate wide rollout. But we would be lying, if we would let you believe the tooling would do the job without further change in your organization.

To support this, TrustSource provides a stack of OpenChain compliant materials and resources. But we advise to run at least a workshop with an expert or consultant like EACG, our mother company to get a guide on the journey. Information on our trainings you may find here.