Continuous Open Source License Compliance

Phipps, Simon; Zacchiroli, Stefano

doi:10.1109/mc.2020.3024403

Cited by 9 publications

(3 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…State-of-the-art license scanners in the field are FOSSology [17], and ScanCode (discussed in [25] together with other FOSS tools for Software Composition Analysis). Zooming out from license detection per se, several tools are used in the compliance landscape to manage the workflow of vetting open source component before production use, such as Eclipse SW360 10 as component inventory manager and the OSS Review Toolkit (ORT) 11 that provides a customizable pipeline for continuous compliance [26].…”

Section: Related Workmentioning

confidence: 99%

“…Note that open source license compliance (or OSLC [11]) is just a part of OSC, albeit an often-discussed one due to the variety and complexity of software licensing [20,2]. The state-of-the-art industry approach for managing the complexity of OSC-known as continuous open source compliance [26]-is to automate as much as possible the verification of adherence to all obligations and best practices for FOSS component management and integrate them into continuous integration (CI) toolchains [23].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Prior Publication Identification for Open Source Code

Serafini¹,

Zacchiroli²

2022

Preprint

Self Cite

View full text Add to dashboard Cite

Free/Open Source Software (FOSS) enables large-scale reuse of preexisting software components. The main drawback is increased complexity in software supply chain management. A common approach to tame such complexity is automated open source compliance, which consists in automating the verification of adherence to various open source management best practices about license obligation fulfillment, vulnerability tracking, software composition analysis, and nearby concerns. We consider the problem of auditing a source code base to determine which of its parts have been published before, which is an important building block of automated open source compliance toolchains. Indeed, if source code allegedly developed in house is recognized as having been previously published elsewhere, alerts should be raised to investigate where it comes from and whether this entails that additional obligations shall be fulfilled before product shipment. We propose an efficient approach for prior publication identification that relies on a knowledge base of known source code artifacts linked together in a global Merkle direct acyclic graph and a dedicated discovery protocol. We introduce swh-scanner, a source code scanner that realizes the proposed approach in practice using as knowledge base Software Heritage, the largest public archive of source code artifacts. We validate experimentally the proposed approach, showing its efficiency in both abstract (number of queries) and concrete terms (wall-clock time), performing benchmarks on 16 845 real-world public code bases of various sizes, from small to very large.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Efficient Prior Publication Identification for Open Source Code

Serafini¹,

Zacchiroli²

2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Proper management of such an increasingly complex software supply chain [12] requires being able to deal with license combinations, their potential incompatibility [9], and auditing increasingly large code bases, ideally in an automated way [23].…”

mentioning

confidence: 99%

A Large-scale Dataset of (Open Source) License Text Variants

Zacchiroli

2022

Preprint

Self Cite

View full text Add to dashboard Cite

We introduce a large-scale dataset of the complete texts of free/open source software (FOSS) license variants. To assemble it we have collected from the Software Heritage archive-the largest publicly available archive of FOSS source code with accompanying development history-all versions of files whose names are commonly used to convey licensing terms to software users and developers.The dataset consists of 6.5 million unique license files that can be used to conduct empirical studies on open source licensing, training of automated license classifiers, natural language processing (NLP) analyses of legal texts, as well as historical and phylogenetic studies on FOSS licensing.Additional metadata about shipped license files are also provided, making the dataset ready to use in various contexts; they include: file length measures, detected MIME type, detected SPDX license (using ScanCode), example origin (e.g., GitHub repository), oldest public commit in which the license appeared.The dataset is released as open data as an archive file containing all deduplicated license files, plus several portable CSV files for metadata, referencing files via cryptographic checksums.

show abstract