TrustSource DeepScan - Catch effective open source licenses

TrustSource DeepScan - CLI, web-based or as part of service

DeepScan is an open source tool, helping you to achieve open source compliance. You may use DeepScan to scan the repositories of your solution or the components you are applying. It will identify all license and – if wanted – copyright information. This is relevant to ensure that you have the correct understanding of the rights and obligations associated with the open source components you are using.

DeepScan is available in three flavours:

While the CLI version is fully functional, it requires the user to assess the results file by himself. The CLI-version can publish its findings either in standard out or in a file using JSON. The web-based UI provides a comfortable way to watch and work with the results. The solution integrated with TrustSource allows you to amend the findings and share your data with others.

Why are effective licenses so relevant?

Everybody developing software should have an understanding about the components he is using to provide his solution due to two reasons:

  1. Legal compliance
  2. Security

Getting a grip on legal compliance

From the legal perspective, it is essential to understand what your solution consists of. Open source does not imply free goods. Just to have free access does not mean you are free from obligations. Often open source components come with a license that requires the user to comply with certain obligations. In many cases the right to use is bound to the compliance with some obligations, e.g. attributing the copyright holder.

Theoretically every component can have its own license. In practice it turns out that there are roundabout 400 licenses and a countless number of derivates that govern the usage of open source. Some are more, some are less restrictive. However, given you do not take care for the rights and obligations associated with the components you are using, you swiftly slide out of legal conformance. In the worst case official law enforcement might charge senior management of companies not effectively preventing such risk with professional fraud.

DeepScan helps to assess repositories for license indications, exposing all findings in a comfortable way. Compiled into one reult, with links into the depth of the repository allowing fast tracking and review.

Give it a try!

No installation or registration required…  

 Keeping track of what is used improves security

The second reason, why you better should be aware of the components inside your solution is, to learn early about issues associated with such components. Given you have the structures of your solutions scanned with TrustSource, all versions of the builds are chronologically available. trustSource checks NVD and other vulnerability boards for updates and compares incoming data with its components information. If you use – or have used – a vulnerable component, you will get a notification.

This gives you an advantage over potential malicious actors. You may inform your customers still using vulnerable versions, start working on fixes or at least help them to prevent misuse by malicious actors.

So you see, there are many reasons, why you should know what is inside your code base….

To learn more about the different DeepScan solutions we provide, see this short video introduction. This speech will be provided at FOSDEM 21 in the Software Composition Analysis DevRoom.

Want to learn more about SBOMs or OpenSSF? Feel free contacting us!


Why does a license matter?

“If someone is publishing his stuff on Github he must accept that it will be used by others!””

Unfortunately we still hear this critical misunderstanding often while finding open source components buried somewhere in source code; without any furtehr declaration of course. Let’s send a few words to discuss this in more detail.

In our western world protection of intellectual property is a high value. The believe that an inventor shall profit from his achievements has been accepted as the driving force of behind our wealth and developed status. That is why it has been protected by intellectual property laws. This insight counts some years already and meanwhile has been established and harmonized internationally through the Berner Convention.

Governing thought has been, that an inventor or creator of a work always will own all rights of usage, modification and all kinds of distribution. This is always valid for a certain period of time after the work has been created. Theperiod depends on the work.

An inventor or creator may transfer his rights to others. The typical form of this transfer is a license.

Without a license, all rights remain with the creator for his protection!

If no license exists, for the protection of the creator, all rights will be assumed as not transferred. Therefor each user of a component without license starts walking on ice. In general nothing might happen immediately. But who knows what will be in the future? Success might make jealous, motivations might change over time. Happy times for all of those, who own a license they may rely on!

But not only that there might be some contributors of open source software getting nasty. There is another relevant aspect of licenses. They also clarify the terms when the right to use is transferred. this will protect you from a usage without right.

In our hemisphere the usage of protected works without right is assumed a criminal act. This might not only cause immense financial damages due to call backs or branding impacts. But also a criminal investigation might be caused.  In some countries this does not even require a plaintiff. This role will be taken by the prosecutor automatically triggered by a suitable  evidence, irrelevant of the source (competition, former employee, original inventor).

To prevent all kinds of damage, it is highly recommended to ensure the availability of and conformity with a license!

To prevent damage, it is highly recommended to avoid using components without a license. But to achieve this, it is essential to know what has been used to build the software and what are the resulting obligations.

TrustSource has been developed to automate this task. Applying the automated scanning you may detect early which components are used and which licenses – or even no licenses – are related.

Our architects may help you to manage critical cases  or identify alternative solutions. Do not wait, start right now in creating transparency!


June 19th, Compliance Breakfast @ Frankfurt a.M.

To achieve a fast Go-to-market for innovative products and services, the application of software, especially open source software is essential.

But, open source software is no free lunch!

What obligations are related to the use of open source software, what triggers the different obligations and what is resulting therefrom? What are athe risks and how to manage them? All this will be part of this informational event. You will receive an overview of the current legal situation as well as practical experiences of the introduction of Open Source Governnace.

0830-0900 Welcome coffee & tea

0900-0915 Introduction of speakers

0915-0945 Current legal situation and challenges (Heinzke)

0945-1000 Questions and discussion

1000-1045 Lessons learned from introducing Open Source Governance in a conglomerate (Thielscher)

1045-1100 Questions and discussion

Tickets can be booked here. To ensure a sound experience, the event is limited to 25 participants. Please note, the event will be in German.