When releasing software, one of the key aspects you need is ensuring that you’re compliant and safe from any legal risks. Our previous blog post on DevOps and Compliance described how compliance can be a seamless part of the DevOps workflow in your organization. This blog post will address the way your company is enforcing its OSS policies today and how JFrog Xray can simplify this process.
License compliance as a process and why it’s important
Do you know if your OSS policies are actually being enforced in your company?
Using unidentified open source components make your organization vulnerable to license violations, which can actually result in costly litigation and intellectual property losses.
Here are 3 use cases that address license compliance:
- Due diligence (such as selling your company, raising funds, IPO), which requires evaluating the company’s worth and listing all products and IP. As part of this process, you need to have a complete list of the licenses that you use.
- New product/service, where the legal team needs to get a complete list of licenses being used.
- Ongoing product releases, where with each software release, several teams within your organization are responsible for identifying the third party licenses of the OSS components your software contains. More specifically, this is a process in which the R&D and Product teams must manually track and create an aggregated list of all the new and old open source components inside their code, which is then reviewed by the legal team to:
- Ensure that it adheres to internal policies
- Make it available to the general public
These process are not only time consuming, they are prone to human error.
Enforcing license compliance and how Xray lets you do that
Xray provides two functionalities to help automate these processes. The first are Policies that let you enforce your license compliance regulations on each component in your artifact/build that is added/modified.
The second is Xray’s new component license report, which simplifies this process by removing all of the manual efforts of digging through each component and identify its license for evaluation. You can now generate a license report, for every build or artifact, listing all of the OSS licenses that are directly or indirectly being used by it with a click of a button.
This report is based on the metadata generated in Xray that recursively analyzes the OSS licenses used by the components inside your binaries and provides you with component security and license metadata.
Once you have the report, you can assess the license compliance of the OSS components that are part of your releases, and most importantly trust that all of them are there.
4 main steps to incorporate Xray in your license compliance process
- Find the relevant build/artifact in Xray, from the component search.
- Discover the list of component licenses, from the license tab.
- Assign licenses to components with unknown license.
- Export the report and share with the relevant stakeholders.