TrustSource @ FOSDEM 2021

TrustSource @ FOSDEM 2021

we are looking forward to the presentations of @Jan Thielscher & @Grigory Markin at FOSDEM 2021.

Open Source Compliance Tooling – Capability Reference Architecture

Jan will present the Open Source Tooling Workgroup‘s reference model in the OpenChain Dev-Room , which outlines domain-specific capabilities and their interrelationships. The model has been created over the last two years by members of the workgroup and is intended to provide an overview of the required tasks that will be needed in the context of open source compliance. It is also useful for mapping the different tools or being clear about what functionality they cover. See the complete video here.

During the talk Jan will also try to motivate tool vendors to map their tools against the model.

Capabilities in comparison

In a second talk, Grigory Markin will present the TrustSource DeepScan open source tool and the free online service DeepScan of the same name in the Dev-Room Software Composition. This solution has been developed to support open source users in identifying the effective licenses and attribution information (license & copyright) :

TrustSource DeepScan – How to effectively excavate effective licenses

In this 15 minute talk, Grigory and Jan will briefly outline the challenge of “effective” licenses and discuss the various technical possibilities and challenges of automated license analysis using similarity analysis, among other things. Finally, the tool, the current state of work and the next steps will be briefly presented.

Get in touch! We are happy to hear about your concerns!


TrustSource DeepScan - Catch effective open source licenses

TrustSource DeepScan - CLI, web-based or as part of service

DeepScan is an open source tool, helping you to achieve open source compliance. You may use DeepScan to scan the repositories of your solution or the components you are applying. It will identify all license and – if wanted – copyright information. This is relevant to ensure that you have the correct understanding of the rights and obligations associated with the open source components you are using.

DeepScan is available in three flavours:

While the CLI version is fully functional, it requires the user to assess the results file by himself. The CLI-version can publish its findings either in standard out or in a file using JSON. The web-based UI provides a comfortable way to watch and work with the results. The solution integrated with TrustSource allows you to amend the findings and share your data with others.

Why are effective licenses so relevant?

Everybody developing software should have an understanding about the components he is using to provide his solution due to two reasons:

  1. Legal compliance
  2. Security

Getting a grip on legal compliance

From the legal perspective, it is essential to understand what your solution consists of. Open source does not imply free goods. Just to have free access does not mean you are free from obligations. Often open source components come with a license that requires the user to comply with certain obligations. In many cases the right to use is bound to the compliance with some obligations, e.g. attributing the copyright holder.

Theoretically every component can have its own license. In practice it turns out that there are roundabout 400 licenses and a countless number of derivates that govern the usage of open source. Some are more, some are less restrictive. However, given you do not take care for the rights and obligations associated with the components you are using, you swiftly slide out of legal conformance. In the worst case official law enforcement might charge senior management of companies not effectively preventing such risk with professional fraud.

DeepScan helps to assess repositories for license indications, exposing all findings in a comfortable way. Compiled into one reult, with links into the depth of the repository allowing fast tracking and review.

Give it a try!

No installation or registration required…  

 Keeping track of what is used improves security

The second reason, why you better should be aware of the components inside your solution is, to learn early about issues associated with such components. Given you have the structures of your solutions scanned with TrustSource, all versions of the builds are chronologically available. trustSource checks NVD and other vulnerability boards for updates and compares incoming data with its components information. If you use – or have used – a vulnerable component, you will get a notification.

This gives you an advantage over potential malicious actors. You may inform your customers still using vulnerable versions, start working on fixes or at least help them to prevent misuse by malicious actors.

So you see, there are many reasons, why you should know what is inside your code base….

To learn more about the different DeepScan solutions we provide, see this short video introduction. This speech will be provided at FOSDEM 21 in the Software Composition Analysis DevRoom.

Get in touch! We are happy to hear about your concerns!