Early Risk Indication tool for OSS Compliance

This presentation showcases an innovative utility developed inhouse to identify early risk components using open-source tools and libraries. It addresses the challenges of OSS license compliance and security risks, offering practical solutions to mitigate these issues early in the build phase.

 In today's software landscape, commercial products heavily rely on open-source components. However, developers often lack detailed knowledge of the associated license obligations. Our utility addresses this by identifying third-party libraries early in the build phase, enabling timely decisions to mitigate license and security risks. 

Benefits to the Ecosystem 

Attendees will gain a deeper understanding of the challenges associated with open-source license compliance and security risks. They will learn about practical solutions and tools that can be integrated into their development workflows to mitigate these risks early in the build phase.

 Scope

• Utilize internal and third-party tools such as:
  Maven-scanner, Node-scanner, Gradle-scanner, Go-scanner, Deb-scanner, Container-scanner, NuGet-scanner, PyPI-scanner, Trivy

• Analyze components defined in package managers.

• Generate structured reports in Excel format.

Business Impact:
By providing developers with early risk assessment of their codebase before consulting FOSS experts, we enable proactive decision-making regarding package integration. This preventive approach reduces the need for late-stage modifications and expert consultations, resulting in an estimated 10-20% cost reduction in development and compliance processes.

Future Scope

The utility is planned for release as an open-source solution, enabling community collaboration and continuous improvement through public contributions.

• Introduce different package manager tools

• Visualize license risks, security risks and End of life components from the scanned code

• Realtime decision making and mitigation measures.