├── CONTRIBUTING.md ├── Ecosystem-Survey-2019 ├── Final-Results-Double-Open-Short-Ecosystem-Survey-2019.pdf ├── Pit-Stop-Results │ ├── PIT-STOP-RESULTS-OF-THE-DOUBLE-OPEN-SHORT-ECOSYSTEM-SURVEY-2019-(version 3).pdf │ └── Pit-Stop-Results-v2-20190314.pdf ├── README.md ├── Raw-Data-Double-Open-Short-Ecosystem-Survey-2019.xlsx ├── Results-Companies-With-Over-1000-Employees.pdf └── Short-Ecosystem-Survey-2019-Report.md ├── Images ├── Fossology │ ├── README.md │ ├── spin.js-2.3.2-fossologyscan.png │ └── spin.js-2.3.2-fossologyscanresults.png └── ScanCode │ ├── README.md │ ├── scancode-shownresults-workbench-spin.js-2.3.png │ └── spin.js-2.3.2-scancodefullscan.png ├── LICENSE ├── README.md ├── Voice-of-Customer-Workshops ├── Double-Open-Voice-of-Customer-Workshops-Report-20190526.pdf └── Readme.md └── publication.md /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to Double Open publications 2 | 3 | Please work on the dev branch and let us know of your plans. 4 | 5 | Entry on 15-02-2019: We are looking to publish an updated version (v2) of our landscape survey in March 2019. For this we are looking for additions of new tools and better descriptions of existing tools and other work. If you promote a tool, or otherwise are willing to contribute, we welcome pull requests. 6 | 7 | # Contributors 8 | All contributors are expected to add their GitHub user account names and real names to this list. Adding the name equals confirming acceptance of the project license (CC-BY-4.0 in file LICENSE) and the contributor's right to submit the contribution he or she makes. 9 | 10 | [willebra](https://github.com/willebra) - Martin von Willebrand 11 | [henritns](https://github.com/henritns) - Henri Tanskanen 12 | [Toniprni](https://github.com/Toniprni) - Toni Päärni 13 | -------------------------------------------------------------------------------- /Ecosystem-Survey-2019/Final-Results-Double-Open-Short-Ecosystem-Survey-2019.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Ecosystem-Survey-2019/Final-Results-Double-Open-Short-Ecosystem-Survey-2019.pdf -------------------------------------------------------------------------------- /Ecosystem-Survey-2019/Pit-Stop-Results/PIT-STOP-RESULTS-OF-THE-DOUBLE-OPEN-SHORT-ECOSYSTEM-SURVEY-2019-(version 3).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Ecosystem-Survey-2019/Pit-Stop-Results/PIT-STOP-RESULTS-OF-THE-DOUBLE-OPEN-SHORT-ECOSYSTEM-SURVEY-2019-(version 3).pdf -------------------------------------------------------------------------------- /Ecosystem-Survey-2019/Pit-Stop-Results/Pit-Stop-Results-v2-20190314.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Ecosystem-Survey-2019/Pit-Stop-Results/Pit-Stop-Results-v2-20190314.pdf -------------------------------------------------------------------------------- /Ecosystem-Survey-2019/README.md: -------------------------------------------------------------------------------- 1 | # Double Open Short Ecosystem Survey 2019 2 | 3 | Double Open launched the Double Open Short Ecosystem Survey 2019 to accumulate real life factual information from members of the open source ecosystem to investigate the existing landscape, and popularity of open source compliance tools and development tools/technologies as well as open source initiatives. 4 | 5 | Double Open project will publish the pit stop results and the final result of the Double Open Short Ecosystem Survey 2019 under this folder. All results are copyrighted to HH Partners, Attorneys-at-law Ltd and will be published under license CC-BY-4.0. -------------------------------------------------------------------------------- /Ecosystem-Survey-2019/Raw-Data-Double-Open-Short-Ecosystem-Survey-2019.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Ecosystem-Survey-2019/Raw-Data-Double-Open-Short-Ecosystem-Survey-2019.xlsx -------------------------------------------------------------------------------- /Ecosystem-Survey-2019/Results-Companies-With-Over-1000-Employees.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Ecosystem-Survey-2019/Results-Companies-With-Over-1000-Employees.pdf -------------------------------------------------------------------------------- /Ecosystem-Survey-2019/Short-Ecosystem-Survey-2019-Report.md: -------------------------------------------------------------------------------- 1 | # Double Open Short Ecosystem Survey 2019 Report 2 | 3 | **UNDER DEVELOPMENT** 4 | --- 5 | 6 | - [Introduction](#introduction) 7 | - [Links to Results](#links-to-results) 8 | - [Participation and use of open compliance initiatives](#participation-and-use-of-open-compliance-initiatives) 9 | - [Open tools in open source compliance](#open-tools-in-open-source-compliance) 10 | - [Commercial tools in open source compliance](#commercial-tools-in-open-source-compliance) 11 | - [Request and incident management tools](#request-and-incident-management-tools) 12 | - [IDEs, Integrated Development Environments](#ides-integrated-development-environments) 13 | - [Source code management (SCM) tools and services](#source-code-management-scm-tools-and-services) 14 | - [Continuous integration (CI) and continuous deployment (CD) tools](#continuous-integration-ci-and-continuous-deployment-cd-tools) 15 | - [Build tools, frameworks and dependency management](#build-tools-frameworks-and-dependency-management) 16 | - [Package indexes and repositories](#package-indexes-and-repositories) 17 | - [Document management](#document-management) 18 | - [Testing frameworks](#testing-frameworks) 19 | - [Container technologies](#container-technologies) 20 | - [What is the size of your organization?](#what-is-the-size-of-your-organization) 21 | - [Conclusion](#conclusion) 22 | 23 | ## Introduction 24 | 25 | Double Open launched the Double Open Short Ecosystem Survey 2019 to accumulate real life factual information from members of the open source ecosystem to investigate the existing landscape, and popularity of open source compliance tools and development tools/technologies as well as open source initiatives. 26 | 27 | This report is copyrighted to HH Partners, Attorneys-at-law Ltd. and published under CC-BY-4.0 license. 28 | 29 | A total of 28 responses were given from a diverse sample of different sized companies. The survey was open during February, March and early April of 2019. This report includes anonymised data from the survey with analysis of the process and the results. The anonymised data is also available as raw data for further analysis. 30 | 31 | Some of the data has been affected by who the survey has been shared with. The survey has been publicly available on our website. In addition, we have sent a link to our survey to specific mailing lists. This may have some impact on the results of the survey, but these have been taken into consideration in the analysis. 32 | 33 | Also new compliance tools have come to our knowledge after the launch of the survey. Therefore, these "new" tools are not visible in the results of the survey and their evaluation is not possible through survey data. 34 | 35 | In this report we are going to analyse the results section by section. Afterwards there will be a conclusion and some forward words from the Double Open project. 36 | 37 | --- 38 | 39 | ## Links to Results 40 | 41 | * The final results of the Double Open Short Ecosystem Survey 2019 can be found [here](/Ecosystem-Survey-2019/Final-Results-Double-Open-Short-Ecosystem-Survey-2019.pdf) 42 | * The final results of only companies with over 1000 employees can be found [here](/Ecosystem-Survey-2019/Results-Companies-With-Over-1000-Employees.pdf) 43 | * The raw data of the final results can be found [here](/Ecosystem-Survey-2019/Raw-Data-Double-Open-Short-Ecosystem-Survey-2019.xlsx) 44 | 45 | --- 46 | 47 | ## Participation and use of open compliance initiatives 48 | 49 | ### Results 50 | 51 | | Initiative | Number of users | 52 | | :------------------------------- | :-------------: | 53 | | OpenChain | 15 | 54 | | ClearlyDefined | 10 | 55 | | Sharing-creates-value | 5 | 56 | | Automated Compliance Tooling ACT | 3 | 57 | | Eclipse Oscano | 1 | 58 | | AboutCode.org | 1 | 59 | 60 | ### Analysis 61 | 62 | A request to fill the survey was introduced to the sharing-creates-value initiatives mailing list, as well as to ClearlyDefined's Slack and OpenChain's mailing lists. Therefore the top three results represent the activity of those lists quite well. Also, please note that the sharing-creates-value initiative has been used under the OSS Based Compliance Tooling group which is now (since early August 2019) working under OpenChain. 63 | Also, worthy of note is that OpenChain is likely the oldest initiative of these (at the time issuing the survey) and Automated Compliance Tooling ACT is the youngest. 64 | With the merging of OpenChain and Sharing-creates-value, it seems that the currently strongest initiative/working group is the OSS Based Compliance Tooling group, although their respective areas of work (quality based process improvement in OpenChain and tooling work under the OSS Based Compliance Tooling group) are distinct but complementary. That observation is also supported by our own experience in participating in the work of the three topmost initiatives. 65 | ClearlyDefined has a significant amount of mentions too and its approach is different; an API based actual service. The approach has clear value in the sense of ease of integration. 66 | 67 | --- 68 | 69 | ## Open tools in open source compliance 70 | 71 | ### Results 72 | 73 | | Tool | Number of users | 74 | | ----------------------------------------------------------- | :-------------: | 75 | | Fossology | 15 | 76 | | ScanCode toolkit | 14 | 77 | | SPDX Tools | 11 | 78 | | OSS Review Toolkit ORT | 7 | 79 | | AboutCode toolkit | 3 | 80 | | Eclipse SW360 | 3 | 81 | | Tern | 3 | 82 | | Deltacode | 2 | 83 | | AboutCode Manager | 2 | 84 | | TraceCode toolkit | 2 | 85 | | Ninka | 2 | 86 | | The Quartermaster Project QMSTR | 2 | 87 | | Open Source License Checklists by OSADL | 2 | 88 | | Licensee.js | 1 | 89 | | Cregit | 1 | 90 | | OSS Attribution Builder | 1 | 91 | | SPDX Maven plugin | 1 | 92 | | Licensee from GitHub (that powers the license checks there) | 1 | 93 | | LicenseFinder | 1 | 94 | | OSS Discovery by OpenLogic | 0 | 95 | | license-compatibility-checker | 0 | 96 | | Apache Rat | 0 | 97 | | Apache Tentacles | 0 | 98 | | Apache Whisker | 0 | 99 | | OSSSanitizer and OSSPolice | 0 | 100 | | CLIPol | 0 | 101 | 102 | ### Analysis 103 | 104 | - Fossology, ScanCode and SPDX Tools are clear leaders. All of these have existed quite some time already. 105 | - Both Fossology and ScanCode produce SPDX. 106 | - ScanCode is already integrated into e.g. OSS Review Toolkit and ClearlyDefined. 107 | - Fossology is already integrated to e.g. ACT initiative and ClearlyDefined 108 | - OSS Review Toolkit ORT has not been officially publicised and is very young; and had regardless gathered several replies. 109 | - Also, when responses given by companies with less than 1,000 employees are removed, we find that the 3 tools with most answers are Fossology, ScanCode, and ORT. 110 | 111 | --- 112 | 113 | ## Commercial tools in open source compliance 114 | 115 | ### Results 116 | 117 | | Tool | Number of users | 118 | | :------------------------- | :-------------: | 119 | | FOSSID | 7 | 120 | | BlackDuck | 6 | 121 | | WhiteSource | 6 | 122 | | Fossa | 2 | 123 | | NexB | 2 | 124 | | Flexera | 1 | 125 | | Sonatype | 1 | 126 | | Snyk.io | 1 | 127 | | TripleCheck | 0 | 128 | | Insigniary | 0 | 129 | | Anchore | 0 | 130 | | CAST Software Intelligence | 0 | 131 | | Rogue Wave Software | 0 | 132 | 133 | 134 | ### Analysis 135 | 136 | Commercial tools are not in the center of attention for the Double Open project, hence the above result is not analysed more. 137 | 138 | --- 139 | 140 | ## Request and incident management tools 141 | 142 | ### Results 143 | 144 | | Tool | Number of users | 145 | | :------------------------------------------------------------------ | :-------------: | 146 | | Github/Gitlab/other Git service | 23 | 147 | | JIRA | 21 | 148 | | Team Foundation Server | 6 | 149 | | Polarion | 2 | 150 | | Visual Studio DevOps (former TFS) | 1 | 151 | | Perforce | 1 | 152 | | RT | 1 | 153 | | Azure DevOps (the new name for VSTS which was the new name for TFS) | 1 | 154 | 155 | ### Analysis 156 | 157 | Based on the results it seems clear that an open toolchain should likely produce reports into Git services and JIRA. A proof of concept should choose either of these. 158 | 159 | --- 160 | 161 | ## IDEs, Integrated Development Environments 162 | 163 | ### Results 164 | 165 | | Tool | Number of users | 166 | | ----------------------- | --------------- | 167 | | Visual Studio | 20 | 168 | | Eclipse | 19 | 169 | | JetBrains IntelliJ IDEA | 10 | 170 | | Android Studio | 9 | 171 | | JetBrains PyCharm | 7 | 172 | | Visual Studio Code | 3 | 173 | | Qt Creator | 3 | 174 | | Netbeans IDE | 3 | 175 | | JetBrains WebStorm | 2 | 176 | | JetBrains PhpStorm | 2 | 177 | | JetBrains GoLand | 2 | 178 | | JetBrains CLion | 2 | 179 | | vim | 1 | 180 | | JetBrains RubyMine | 1 | 181 | | JetBrains Rider | 1 | 182 | 183 | ### Analysis 184 | 185 | Based on the results it seems clear that any possible integration into IDEs should consider Visual Studio and Eclipse. 186 | 187 | --- 188 | 189 | ## Source code management (SCM) tools and services 190 | 191 | ### Results 192 | 193 | | Tool | Number of users | 194 | | ---------- | --------------- | 195 | | Git | 19 | 196 | | GitHub | 18 | 197 | | GitLab | 13 | 198 | | Bitbucket | 8 | 199 | | SVN | 5 | 200 | | gerrit | 2 | 201 | | Mercurial | 1 | 202 | | Perforce | 1 | 203 | | Clear Case | 1 | 204 | 205 | ### Analysis 206 | 207 | Based on the results it seems clear that integration into SCMs should first focus on GIT based services/tools. 208 | 209 | --- 210 | 211 | ## Continuous integration (CI) and continuous deployment (CD) tools 212 | 213 | ### Results 214 | 215 | | Tool | Number of users | 216 | | ---------------------- | --------------- | 217 | | Jenkins | 23 | 218 | | Travis CI | 10 | 219 | | Team Foundation Server | 7 | 220 | | Ansible | 7 | 221 | | CircleCI | 6 | 222 | | Azure DevOps | 6 | 223 | | TeamCity | 5 | 224 | | GitLab CI | 5 | 225 | | Appveyor | 4 | 226 | | Puppet | 3 | 227 | | Octopus | 2 | 228 | | Codeship | 2 | 229 | | Bamboo | 2 | 230 | | GitHub Actions | 1 | 231 | | Concourse | 1 | 232 | | AWS CodeBuild | 1 | 233 | | wercker | 0 | 234 | | Semaphore | 0 | 235 | | Go.CD | 0 | 236 | | Drone.io | 0 | 237 | | Buildkite | 0 | 238 | 239 | ### Analysis 240 | 241 | Based on the results the natural first choice for CI/CD integartion in a proof of concept would be Jenkins. 242 | 243 | --- 244 | 245 | ## Build tools, frameworks and dependency management 246 | 247 | ### Results 248 | 249 | | Tool | Number of users | 250 | | -------------------- | --------------- | 251 | | Apache Maven | 19 | 252 | | npm | 19 | 253 | | Gradle | 16 | 254 | | pip / pipenv | 15 | 255 | | Visual Studio | 14 | 256 | | Make | 13 | 257 | | Yocto / OpenEmbedded | 12 | 258 | | Cmake | 10 | 259 | | yarn | 9 | 260 | | Apache Ant | 8 | 261 | | Webpack | 7 | 262 | | Composer | 6 | 263 | | sbt | 5 | 264 | | BitBake | 4 | 265 | | Conda | 3 | 266 | | Godep, Bundler | 1 | 267 | 268 | ### Analysis 269 | 270 | Java based technologies are clearly on top of the build tools list. Python technologies follow. Gradle as a framework is less dependent on development language. Also an important number of Linux embedded technologies are mentioned, e.g. Make, Yocto and Cmake each getting at least 10 mentions. A proof of concept for automated compliance should likely integrate into one or several of these. 271 | 272 | --- 273 | 274 | ## Package indexes and repositories 275 | 276 | ### Results 277 | 278 | | Tool | Number of users | 279 | | ----------------------------------------------- | --------------- | 280 | | npm registry | 19 | 281 | | Maven repositories | 17 | 282 | | NuGet | 13 | 283 | | Bower | 11 | 284 | | JFrog Artifactory | 9 | 285 | | RubyGems.org | 8 | 286 | | Nexus Repository | 8 | 287 | | Go Search | 7 | 288 | | Packagist (the PHP package repository) | 6 | 289 | | CPAN | 4 | 290 | | CocoaPods | 4 | 291 | | Cargo (crates.io) | 3 | 292 | | PEAR (PHP extension and application repository) | 3 | 293 | | RPM and Debian/Ubuntu repos | 1 | 294 | | PlatformIO registry | 0 | 295 | 296 | ### Analysis 297 | 298 | Package indexes are popularly used in Java & Javascript, which can be seen in the answers for this question. Any proof of concept in these technologies should likely use the information available from the topmost registries here. 299 | 300 | --- 301 | 302 | ## Document management 303 | 304 | ### Results 305 | 306 | | Tool | Number of users | 307 | | ------------ | --------------- | 308 | | Confluence | 18 | 309 | | Polarion | 1 | 310 | | GitHub | 1 | 311 | | Liferay Sync | 1 | 312 | | Flowdock | 0 | 313 | 314 | ### Analysis 315 | 316 | Document management integration should be Confluence, based on these replies. 317 | 318 | --- 319 | 320 | ## Testing frameworks 321 | 322 | ### Results 323 | 324 | | Tool | Number of users | 325 | | ---------------- | --------------- | 326 | | Selenium | 10 | 327 | | Robot Framework | 7 | 328 | | JUnit | 7 | 329 | | AndroidTest | 5 | 330 | | qTest | 4 | 331 | | mochito | 3 | 332 | | TestRail | 1 | 333 | | Roboelectric | 1 | 334 | | py.test | 1 | 335 | | Nunit googletest | 1 | 336 | | Cunit | 1 | 337 | | Robolectric | 1 | 338 | | Unity | 1 | 339 | | Cypress | 0 | 340 | | RedwoodHQ | 0 | 341 | | Serenity | 0 | 342 | | Citrus Framework | 0 | 343 | 344 | ### Analysis 345 | 346 | The testing framework answers are more divided with no clear top result, considering 28 answers in general. 347 | 348 | --- 349 | 350 | ## Container technologies 351 | 352 | ### Results 353 | 354 | | Tool | Number of users | 355 | | ------------- | --------------- | 356 | | Docker | 23 | 357 | | Kubernetes | 14 | 358 | | OpenShift | 5 | 359 | | Cloud Foundry | 4 | 360 | | VirtualBox | 1 | 361 | | Atomic | 0 | 362 | 363 | ### Analysis 364 | 365 | Container related integration should likely start with Docker and followed with Kubernetes. 366 | 367 | --- 368 | 369 | ## What is the size of your organization? 370 | 371 | ### Results 372 | 373 | | Number of employees | Responses | 374 | | ------------------- | --------- | 375 | | 10000 < | 10 | 376 | | 1000 - 9999 | 7 | 377 | | 100 - 999 | 5 | 378 | | 10 - 99 | 3 | 379 | | < 10 | 3 | 380 | 381 | We did separately analyse the replies of the respondents from organizations above 1000 employees. However, there were quite little significant differences. We have noted the differences in the analysis, in case we found that the differences had some significance. To view the survey results with only 1000 employees or more, please check the section [Links to Results](#links-to-results). 382 | 383 | ### Analysis 384 | 385 | The above gives a view on the type of responents to this questionnaire. At the same time it reflects the type of organizations who are interested in open source compliance, i.e. large enterprises. 386 | 387 | --- 388 | 389 | ## Conclusion 390 | 391 | The response quantity (28) to the survey was small to medium. However, the purpose of the survey was to explore the potential direction of the software industry and open source compliance. By reaching out to a number of compliance related communities, we achieved in getting answers from a group of persons within the industry who represent an interesting insight into the tooling used in and in relation to open source compliance. 61 per cent of the sample group was companies with over 1000 employees. Large companies are de facto influential in the OSS industry and also the ones with most need for open source compliance. Therefore we deem the Survey to be an overall success and it does give valid information of e.g. integrations to all who wish to develop and contribute in open source. We are planning to follow this short survey with a more substantial survey to support the conceptualising of a possible automated tool chain for open source compliance. 392 | 393 | --- 394 | 395 | ---END OF DOCUMENT--- -------------------------------------------------------------------------------- /Images/Fossology/README.md: -------------------------------------------------------------------------------- 1 | # Fossology image storage for Publications.md 2 | -------------------------------------------------------------------------------- /Images/Fossology/spin.js-2.3.2-fossologyscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Images/Fossology/spin.js-2.3.2-fossologyscan.png -------------------------------------------------------------------------------- /Images/Fossology/spin.js-2.3.2-fossologyscanresults.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Images/Fossology/spin.js-2.3.2-fossologyscanresults.png -------------------------------------------------------------------------------- /Images/ScanCode/README.md: -------------------------------------------------------------------------------- 1 | # Images of ScanCode for Publications.md 2 | -------------------------------------------------------------------------------- /Images/ScanCode/scancode-shownresults-workbench-spin.js-2.3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Images/ScanCode/scancode-shownresults-workbench-spin.js-2.3.png -------------------------------------------------------------------------------- /Images/ScanCode/spin.js-2.3.2-scancodefullscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Images/ScanCode/spin.js-2.3.2-scancodefullscan.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Double Open Publications 2 | Double Open is a research project aiming to find out how to make open source compliance more open. This is where we publish our work as we go forward. 3 | -------------------------------------------------------------------------------- /Voice-of-Customer-Workshops/Double-Open-Voice-of-Customer-Workshops-Report-20190526.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/doubleopen-project/doubleopen-publications/d030fa30933cbb4b3e702840e2a847ae9a863797/Voice-of-Customer-Workshops/Double-Open-Voice-of-Customer-Workshops-Report-20190526.pdf -------------------------------------------------------------------------------- /Voice-of-Customer-Workshops/Readme.md: -------------------------------------------------------------------------------- 1 | # Voice-of-Customer Workshops 2019 2 | 3 | The Voice-of-Customer workshops were carried out to understand the open source compliance operations of Validos members within their software development and maintenance processes. 4 | 5 | Workshops set out to define the current state and the dream state of the organizations. The results are to complement the development of the Double Open Concept. 6 | 7 | The results are published under license CC-BY-4.0. -------------------------------------------------------------------------------- /publication.md: -------------------------------------------------------------------------------- 1 | # Double Open Landscape Survey 2 | | Version | Date | 3 | |-------------|------------| 4 | | Version 1 | 2019-02-15 | 5 | | Version 1.5 | 2019-08-23 | 6 | 7 | ___ 8 | 9 | ## Table of Contents 10 | [Introduction](#introduction) 11 | 12 | [Open Compliance Initiatives](#open-compliance-initiatives) 13 | * [ClearlyDefined](#clearlydefined) 14 | * [Eclipse Oscano](#eclipse-oscano) 15 | * [Automated Compliance Tooling ACT](#automated-compliance-tooling-act) 16 | * [OpenChain](#openchain) 17 | * [Sharing-creates-value](#sharing-creates-value) 18 | 19 | [FOSS tools](#foss-tools-for-open-source-compliance) 20 | * [Bang](#bang) 21 | * [Fossology](#fossology) 22 | * [ScanCode toolkit](#scancode-toolkit) 23 | * [AboutCode toolkit](#aboutcode-toolkit) 24 | * [Deltacode](#deltacode) 25 | * [AboutCode Manager](#aboutcode-manager) 26 | * [TraceCode toolkit](#tracecode-toolkit) 27 | * [OSS Discovery by OpenLogic](#oss-discovery-by-openlogic) 28 | * [Licensee.js](#licenseejs) 29 | * [Ninka](#ninka) 30 | * [Eclipse SW360](#eclipse-sw360) 31 | * [Eclipse SW360antenna](#eclipse-sw360antenna) 32 | * [OSS Review Toolkit ORT](#oss-review-toolkit-ort) 33 | * [license-compatibility-checker](#license-compatibility-checker) 34 | * [The Quartermaster Project QMSTR](#the-quartermaster-project-qmstr) 35 | * [Open Source License Checklists by OSADL](#open-source-license-checklists-by-osadl) 36 | * [Apache Rat](#apache-rat) 37 | * [Apache Tentacles](#apache-tentacles) 38 | * [Apache Whisker](#apache-whisker) 39 | * [Cregit](#cregit) 40 | * [OSS Attribution Builder](#oss-attribution-builder) 41 | * [OSSPolice](#osspolice) 42 | * [CLIPol](#cippic-licensing-information-project-for-open-licences-clipol) 43 | * [Tern](#tern) 44 | * [SPDX Tools](#spdx-tools) 45 | * [SPDX Maven Plugin](#spdx-maven-plugin) 46 | * [REUSE](#reuse-software) 47 | 48 | [Uncategorized FOSS resources](#uncategorized-foss-resources) 49 | * [Software Heritage](#software-heritage) 50 | * [Debian Sources](#debian-sources) 51 | * [mgmtconfig](#mgmtconfig) 52 | 53 | [Commercial Tools](#commercial-tools-for-open-source-compliance) 54 | 55 | [Development Tooling and Technologies](#development-tooling-and-technologies) 56 | * [Request and Incident Management](#request-and-incident-management) 57 | * [Integrated Development Environments](#integrated-development-environments) 58 | * [Source Code Management and SCM Services](#source-code-management-and-scm-services) 59 | * [Continuous Integration and Deployment](#continuous-integration-and-deployment) 60 | * [Build Tools, Frameworks and Dependency Management](#build-tools-frameworks-and-dependency-management) 61 | * [Package Indexes and Repositories](#package-indexes-and-repositories) 62 | * [Document Management](#document-management) 63 | * [Testing Frameworks](#testing-frameworks) 64 | * [Container Technologies](#container-technologies) 65 | 66 | [SPDX Implementation](#spdx-Implementation) 67 | * [ScanCode-process](#scancode-process) 68 | * [Fossology-process](#fossology-process) 69 | * [Material on how the tools work](#material-on-how-the-tools-work) 70 | 71 | [Double Open Short Ecosystem Survey 2019](#double-open-short-ecosystem-survey-2019) 72 | 73 | [Voice-of-Customer Workshops 2019](#voice-of-customer-workshops-2019) 74 | 75 | --- 76 | 77 | ## Introduction 78 | 79 | Open source software has eaten the world, but organizations are still struggling with effective compliance. Open source software is heterogenous and re-used, which, while positive for software development, creates a challenge for compliance. Compliance requires multiple tools and these should be ideally combined into a workflow that supports a number of business and developer requirements. One of the requirements is ease of use in a modern development environment where code development cycles are getting ever shorter and new development results are pushed to operations ever faster. For this to work, open source compliance tools likely need to integrate with development tooling. 80 | 81 | In the following report some of these tools are listed with information of their main license, website and a summary of their features, based on accounts by the projects. The report has been crafted to map out the wide range of open source tools that one might use to help keep their open source software compliant. However, this report, ever so comprehensive, is not exhaustive. The report includes FOSS tools as well as a few commercial tools. It also has a section for Open Source Initiatives and Development Environments, as these are also important on a way towards automated open compliance with open tooling and open data. 82 | 83 | This report will be complemented based on an ecosystem survey and on practical testing of the most popular open source tools. 84 | 85 | This report is part of the first work package in the Double Open project. See [doubleopen.org](https://doubleopen.org) for more details. 86 | 87 | --- 88 | 89 | ## Open Compliance Initiatives 90 | 91 | ### ClearlyDefined 92 | #### Website 93 | 94 | [ClearlyDefined.io](https://clearlydefined.io/) 95 | 96 | ClearlyDefined on [GitHub](https://github.com/clearlydefined/clearlydefined) 97 | 98 | #### Summary 99 | 100 | ClearlyDefined is a community / contributor powered project in which the goals are: 101 | 1. Raise awareness about lack of clarity around licenses and security vulnerabilities within FOSS project teams 102 | 2. Automatically harvest data from projects 103 | 3. Make it easy for anyone to contribute missing information 104 | 4. Crowd-source the curation of these contributions 105 | 5. Feed curated contributions back to the original projects 106 | 107 | ClearlyDefined provides a mechanism for harvesting available data using tools such as ScanCode and FOSSology, and facilitates crowd-sourcing the curation of that information when ambiguities or gaps arise. The ultimate goal of harvesting and curation is to contribute any new-found clarity (e.g., new licenses found) to the upstream projects so they can include the updates in their next release. The project focuses now on clarifying individual project's license, source code location and copyright holders, but do see security, accessibility, and internationalization being important parts of the ClearlyDefined ecosystem. 108 | 109 | ### Eclipse Oscano 110 | #### Website 111 | 112 | [Eclipse Oscano](https://projects.eclipse.org/proposals/eclipse-oscano) 113 | 114 | #### Summary 115 | 116 | The mission of the Oscano project is to solve the problem of scaling SCA to modern needs with Open Source approach. The Eclipse Oscano project provides a complete software composition analysis solution, focused on compliance and security, that can be installed on cloud, local server, or workstation environment. To achieve this, existing OSS components will be reviewed by the project team for possible integration into the Oscano stack and capabilities not existing will be built and integrated. Main use cases of Oscano include Open Source license compliance management, open source inventory management, vulnerability remediation automation and software analysis reporting. 117 | 118 | The solution is designed to meet the challenge of massively increasing scale and continuous nature of build and releasing of modern software systems. It addresses the scaling problem through four principal means: 119 | 120 | 1. Continuous and fully automated operation cycle from new code commit to analysis, scan and action 121 | 2. Maximum engagement of developers in the software analysis and management use cases for direct and early troubleshooting 122 | 3. Risk-based smart analysis of compliance and vulnerability issues 123 | 4. Maximum re-use of pre-scanned open source software data. 124 | 125 | ### Automated Compliance Tooling ACT 126 | #### Website 127 | [ACT](https://www.linuxfoundation.org/press-release/2018/12/the-linux-foundation-to-launch-new-tooling-project-to-improve-open-source-compliance/) 128 | 129 | #### Summary 130 | ACT is a Linux Foundation project. The goal is to consolidate investment in, and increase interoperability and usability of, open source compliance tooling, which helps organizations manage compliance obligations. ACT also welcomes two new projects to be hosted at The Linux Foundation as part of the initiative, in addition to two existing Linux Foundation projects that will become part of the new project. The new projects are complementary to existing Linux Foundation compliance projects such as OpenChain, which identifies key recommended processes to make open source license compliance simpler and more consistent, and the Open Compliance Program, which educates and helps developers and companies understand their license requirements and how to build efficient, frictionless and often automated processes to support compliance. 131 | 132 | The four projects that will be part of ACT are: 133 | * FOSSology 134 | * QMSTR 135 | * SPDX Tools 136 | * Tern 137 | 138 | ### OpenChain 139 | #### Website 140 | [OpenChain](https://www.openchainproject.org/) 141 | 142 | #### Summary 143 | OpenChain is a project hosted by the Linux Foundation. It answers a question: "How do I trust my open source supply chain"? It provides a framework for shared, compliant use of FOSS. Conforming companies create an environment that supports use of FOSS internally and sharing of FOSS with partners. The [OpenChain Specification](https://www.openchainproject.org/spec) defines a core set of requirements every quality compliance program must satisfy. [OpenChain Conformance](https://www.openchainproject.org/conformance) allows organizations to display their adherence to these requirements. The [OpenChain Curriculum](https://www.openchainproject.org/curriculum) supports this process by providing extensive reference material for effective open source training and management. The result is that open source license compliance becomes more predictable, understandable and efficient for all participants in the software supply chain. 144 | 145 | ### Sharing-creates-value 146 | #### Website 147 | [Sharing-creates-value](https://github.com/Open-Source-Compliance/Sharing-creates-value) 148 | 149 | #### Summary 150 | This is GitHub repository hosted by Siemens. Sharing creates value strives for the goal to lower the required effort in license compliance work for all who want to make use of OSS in a license compliant way. To achieve this Sharing creates value will develop, share and improve the artifacts needed to fulfill the requirements of the different Free and Open Source Software licenses by applying the Open Source Software development principles. 151 | 152 | Another objective of Sharing creates value is a very close collaboration with the OSS community in order to fix detected "bugs" in licensing as well as introducing the information needed for license compliance activities in the Open Source projects, i.e. provide our analysis work to the OSS projects. 153 | 154 | Last but not least Sharing creates value support tools which will help automate and reduce effort in component management, license identification and OSS license compliance activities. 155 | 156 | Sharing creates value wants to be the platform, which provides all information and artifacts for OSS license compliance. 157 | 158 | --- 159 | 160 | ## FOSS tools for open source compliance 161 | 162 | ### Bang 163 | #### Website 164 | [Bang](https://github.com/armijnhemel/binaryanalysis-ng) 165 | #### Main License 166 | [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.txt) 167 | #### Summary 168 | Binary Analysis Next Generation, or BANG, is a tool for analyzing binary files. Currently its main goal is to very quickly find out the contents of binary files, such as firmware updates, and making information extracted from the contents available for further analysis, such as license compliance, security research or composition analysis. It has support for around 130 different file formats, which can be detected, unpacked and labeled. 169 | 170 | ### Fossology 171 | #### Website 172 | [Fossology](https://www.fossology.org/ ) 173 | #### Main License 174 | [GPL-2.0](https://www.gnu.org/licenses/old-licenses/gpl-2.0.html) 175 | #### Summary 176 | Fossology is a scanning tool for license, copyright and export control scans. In one click you can generate an SPDX file, or a ReadMe with all the copyrights notices from your software. It provides a Web UI and a database for a compliance workflow. To scan, a package must be uploaded to the server. Scanners provided are Monk, Nomos and Ninka. It has version control on packages scanned, so when scanning a newer version of a previous package, only changed files are rescanned. 177 | 178 | ### ScanCode toolkit 179 | #### Website 180 | [ScanCode](https://www.aboutcode.org/ ) 181 | #### Main License 182 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 183 | #### Summary 184 | ScanCode is a suite of command line utilities to reliably scan a codebase for license, copyright, package manifests and direct dependencies and other interesting origin and licensing information discovered in source and binary code files. ScanCode provides comprehensive scan results that you can save as JSON, HTML, CSV or SPDX. As a command line application returning JSON, ScanCode is easy to integrate in a code analysis pipeline and CI/CD. 185 | 186 | ### AboutCode toolkit 187 | #### Website 188 | [AboutCode](https://www.aboutcode.org/ ) 189 | #### Main License 190 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 191 | #### Summary 192 | The AboutCode Toolkit and ABOUT files provide a simple way to document the origin, license, usage and other important or interesting information about third-party software components that you use in your project. In addition, this tool is able to generate attribution notices and identify redistributable source code used in your project. 193 | 194 | ### Deltacode 195 | #### Website 196 | [AboutCode](https://www.aboutcode.org/ ) 197 | #### Main License 198 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 199 | #### Summary 200 | DeltaCode allows you to easily compare ScanCode scans for two versions of a package, component, codebase or product in order to quickly identify possible changes with a focus on identifying license changes. DeltaCode reports matching files with a score and a list of factors that contribute to that score. 201 | 202 | You can use DeltaCode with ScanCode to identify and track license and related changes in open source or third party software packages or components from release to release. 203 | 204 | ### AboutCode Manager 205 | #### Website 206 | [AboutCode](https://www.aboutcode.org/ ) 207 | #### Main License 208 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 209 | #### Summary 210 | AboutCode Manager provides an advanced visual UI to help you quickly evaluate license and other notices identified by ScanCode and record your conclusion about the effective license(s) for a component. 211 | 212 | AboutCode Manager is based on Electron and is the primary desktop/GUI tool for using nexB’s AboutCode tools. 213 | 214 | ### TraceCode toolkit 215 | #### Website 216 | [AboutCode](https://www.aboutcode.org/ ) 217 | #### Main License 218 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 219 | #### Summary 220 | TraceCode Toolkit helps you determine which components are actually distributed or deployed for your product. This is essential information for determining your open source license obligations because many are only triggered by distribution or deployment. 221 | 222 | TraceCode Toolkit is a tool to analyze the traced execution of a build, so you can learn which files are built into binaries and ultimately deployed in your distributed software. 223 | 224 | ### OSS Discovery by OpenLogic 225 | #### Website 226 | [OSS Discovery](http://ossdiscovery.sourceforge.net/) 227 | #### Main License 228 | [GPL-3.0](https://www.gnu.org/licenses/gpl-3.0.html) 229 | #### Summary 230 | OSS Discovery finds the open source software embedded in applications and installed on computers. It is a scanning tool, which gives human readable and machine readable results. 231 | 232 | ### Licensee.js 233 | #### Website 234 | [Licensee.js](https://github.com/jslicense/licensee.js) 235 | #### Main License 236 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 237 | #### Summary 238 | Licensee.js is a command line utility to check npm package dependency license metadata against rules. It uses SPDX license expression and whitelisted data to capture packages that are under different license than whitelisted. 239 | 240 | ### Ninka 241 | #### Website 242 | [Ninka](http://ninka.turingmachine.org/) 243 | #### Main License 244 | [GPL-2.0](https://www.gnu.org/licenses/old-licenses/gpl-2.0.html) 245 | #### Summary 246 | Ninka is a lightweight license identification tool for source code. It is sentence-based, and provides a simple way to identify open source licenses in a source code file. It is capable of identifying several dozen different licenses (and their variations). 247 | 248 | ### Eclipse SW360 249 | #### Website 250 | [Eclipse SW360](https://projects.eclipse.org/projects/technology.sw360) 251 | #### Main License 252 | [EPL-1.0](https://www.eclipse.org/org/documents/epl-v10.php) 253 | #### Summary 254 | A software catalogue application designed to provide a central place for sharing information about software components used by an organization. It is designed to neatly integrate into existing infrastructures related to the management of software artifacts and projects by providing separate backend services for distinct tasks and a set of portlets to access these services. It has connectors to interact with external systems such as code scan tools. Thus far the project has not provided download information. 255 | 256 | ### Eclipse SW360antenna 257 | #### Website 258 | [Eclipse SW360](https://projects.eclipse.org/projects/technology.sw360.antenna) 259 | #### Main License 260 | [EPL-2.0](https://www.eclipse.org/legal/epl-2.0/) 261 | #### Summary 262 | Eclipse SW360antenna is a tool to automate your open source license compliance processes as much as possible. In the end that is 263 | * collecting all compliance relevant data, 264 | * process that data and warn if there might be any license compliance related issues, and 265 | * generating a set of compliance artifacts (source code bundle, disclosure document, report) 266 | 267 | for your project. 268 | 269 | ### OSS Review Toolkit ORT 270 | #### Website 271 | [ORT](https://github.com/heremaps/oss-review-toolkit) 272 | #### Main License 273 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 274 | #### Summary 275 | Verifies free and open source software license compliance by checking source code and dependencies. It works by analyzing the source code for dependencies, downloading the source code of the dependencies, scanning all source code for license information, and summarizing the results. The different tools that make up ORT are designed as libraries (for programmatic use) with a minimal command line interface (for scripted use). Currently the report formats are Excel sheet, NOTICE file, static HTML and Web App. 276 | 277 | ### license-compatibility-checker 278 | #### Website 279 | [license-compatibility-checker](https://github.com/HansHammel/license-compatibility-checker#readme) 280 | #### Main License 281 | [MIT](https://opensource.org/licenses/MIT) 282 | #### Summary 283 | Check npm dependencies' package.json for license compatibility based on SPDX standards. Claimed to be a work in progress, but gives a simple comparison of the licenses in the package with an explanation to how permissive the license is (Permissive > Weakly Protective > Strongly Protective > Network Protective). Shows potential incompatibilities with a colorful scheme. 284 | 285 | ### The Quartermaster Project QMSTR 286 | #### Website 287 | [QMSTR](https://qmstr.org/) 288 | #### Main License 289 | [GPL-3.0](https://www.gnu.org/licenses/gpl-3.0.html) 290 | #### Summary 291 | Quartermaster is a suite of command line tools and build system extensions that instruments software builds to create FOSS compliance documentation and support compliance decisions. Quartermaster runs adjacent to a software build process. A master process collects information about the software that is build. Once the build is complete, the master executes a number of analysis tools, and finally a number of reporters. All modules are executed in the context of the master, not the build machine. The master ships all dependencies of the modules without affecting the build clients file system (it runs in a container). 292 | 293 | ### Open Source License Checklists by OSADL 294 | #### Website 295 | [Open Source License Checklists](https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html) 296 | #### Main License 297 | Unidentified 298 | #### Summary 299 | A project to create and disseminate generally accepted rules to fulfill the obligations when distributing software that is licensed under commonly used Open Source licenses. The goal of this project is to create checklists for the most frequently used and the most important Open Source licenses and to provide assistance tools for the determination of differences between them. 300 | 301 | ### Apache Rat 302 | #### Website 303 | http://creadur.apache.org/rat/ 304 | #### Main License 305 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 306 | #### Summary 307 | Apache Rat is a release audit tool, focused on licenses. Coded in Java, it runs from the command line with plugins for Maven and Ant. Rat is extensible. It is part of the Apache Creadur project. 308 | 309 | ### Apache Tentacles 310 | #### Website 311 | [Apache Tentacles](http://creadur.apache.org/tentacles/) 312 | #### Main License 313 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 314 | #### Summary 315 | Apache Tentacles helps the reviewer by automating interactions with the repository containing the artifacts comprising the release. Apache Tentacles simplifies the job of reviewing repository releases consisting of large numbers of artifacts. Coded in Java, it runs from the command line. 316 | 317 | ### Apache Whisker 318 | #### Website 319 | [Apache Whisker](http://creadur.apache.org/whisker/) 320 | #### Main License 321 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 322 | #### Summary 323 | Apache Whisker assists assembled applications maintain correct legal documentation. 324 | 325 | Whisker can 326 | * verify - checking meta-data quality against a distribution 327 | * generate - legal documents from meta-data 328 | 329 | Particular useful for complex assembled applications. 330 | 331 | ### Cregit 332 | #### Website 333 | [Cregit](https://github.com/cregit/cregit) 334 | #### Main License 335 | [GPL-3.0](https://www.gnu.org/licenses/gpl-3.0.html) 336 | #### Summary 337 | Cregit identifies the contributors of source code. The cregit version of a source file has two interactive features: 338 | * Mouse-over: you will get a summary of the information of the commit that added this token. This information is: 339 | * Its commit id 340 | * Its git-author (the value of the Author field of the commit) 341 | * Its git-author-date (the value of the field Author Date of the commit) 342 | * Summary log of the commit 343 | * Left-click on a token will open a new window with the details of the commit (in github). You can keep this window open and it will keep reloading the files. 344 | 345 | ### OSS Attribution Builder 346 | #### Website 347 | [OSS Attribution Builder](https://github.com/amzn/oss-attribution-builder) 348 | #### Main License 349 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) 350 | #### Summary 351 | OSS Attribution Builder is a website that helps teams create attribution documents for software products. 352 | 353 | ### OSSPolice 354 | #### Website 355 | [OSSPolice](https://github.com/osssanitizer/osspolice) 356 | #### Main License 357 | [GPL-3.0](https://www.gnu.org/licenses/gpl-3.0.html) 358 | #### Summary 359 | OSSPolice is a risk assessment service for developers that can quickly identify potential free software license violations and known n-day security vulnerabilities in their apps. 360 | 361 | ### CIPPIC Licensing Information Project for Open Licences CLIPol 362 | #### Website 363 | [CLIPol](http://www.clipol.org/) 364 | As of 03.06.2019 the website is down. An inqury has been made on whether the project is maintained or not. 365 | #### Main License 366 | [BSD-2-Clause](https://opensource.org/licenses/BSD-2-Clause) 367 | #### Summary 368 | CLIPol is a web platform, maintained by the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, a public interest technology law clinic at the Faculty of Law, Common Law Section, University of Ottawa, designed to serve useful information about open data licences, open content licences, and open source software. It consists of: 369 | * a database of machine-readable information on the rights, restrictions and obligations in different licences; 370 | * an API for retrieving this information; 371 | * a web-accessible site for viewing this information in a user-friendly way (avoiding legalese); and 372 | * a set of web apps built on top of this information (currently consisting of a compatibility-checking tool and a text-comparison tool). 373 | 374 | ### Tern 375 | #### Website 376 | [Tern](https://github.com/vmware/tern) 377 | #### Main License 378 | [BSD-2-Clause](https://opensource.org/licenses/BSD-2-Clause) 379 | #### Summary 380 | Tern is a software package inspection tool for containers written in Python. Tern is an inspection tool to find the metadata of the packages installed in a container image. It does this in two steps: 381 | 1. It uses overlayfs to mount the first filesystem layer in a container image 382 | 2. It then executes scripts from the "command library" in a chroot environment to collect information about packages installed in that layer 383 | 3. With that information as a base, it continues to iterate over step 1 and 2 for the rest of the layers in the container image 384 | 4. Once done, it generates a report in different formats. The default report is a verbose explanation of what layers brought in what software components. If a Dockerfile is provided then it will also provide what lines in the Dockerfile was used to create the layers. 385 | 386 | ### SPDX Tools 387 | #### Website 388 | [SPDX Tools](https://spdx.org/tools) 389 | #### Main License 390 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0.txt) 391 | #### Summary 392 | The consolidated SPDX workgroup tool provides translation, comparison, and verification functionality in a single download. The tool is a Java command line utility. 393 | 394 | The following functions are available: 395 | 396 | * TagToSpreadsheet - Convert a tag format input file to a spreadsheet output file 397 | * TagToRDF - Convert a tag format input file to an RDF format output file 398 | * RdfToTag - Convert an RDF format input file to a tag format output file 399 | * RdfToHtml - Convert an RDF format input file to an HTML web page output file 400 | * RdfToSpreadsheet - Convert an RDF format input file to a spreadsheeet format output file 401 | * SpreadsheetToRDF - Convert a spreadsheet input file to an RDF format output file 402 | * SpreadsheetToTag - Convert a spreadsheet input file to a tag format output file 403 | * SPDXViewer - Display an SPDX document input file (in either tag/value or RDF format) 404 | * CompareMultipleSpdxDocs - Compare multiple SPDX documents (in either tag/value or RDF formats) and output to a spreadsheet 405 | * CompareSpdxDocs - Compare two SPDX documents (in either tag/value or RDF format) 406 | * GenerateVerificationCode - Geneinkrate a Verification Code from a directory of files. 407 | 408 | ### SPDX Maven Plugin 409 | #### Website 410 | [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin) 411 | #### Main License 412 | [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0.txt) 413 | #### Summary 414 | SPDX Maven Plugin is a plugin to Maven which produces Software Package Data Exchange (SPDX) documents for artifacts described in the POM file. 415 | 416 | ### REUSE 417 | #### Website 418 | [REUSE](https://reuse.software/) 419 | #### Main License 420 | [CC-BY-SA-4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) 421 | #### Summary 422 | REUSE is an initiative to provide a set of recommendations to make licensing your free software projects easier. REUSE provides [tools](https://reuse.software/dev/) that facilitate the developer in adopting the said recommendations. REUSE is an initiative of the [FSFE](https://fsfe.org) and uses SPDX as their standard practice. It asks adopters to 423 | 424 | 1. choose and provide licenses, 425 | 2. add copyright and licensing information to every file, 426 | 3. confirm REUSE compliance with a single tool command or the [REUSE API](https://api.reuse.software). 427 | 428 | --- 429 | 430 | ## Uncategorized FOSS resources 431 | To be possibly categorized elsewhere. 432 | ### Software Heritage 433 | #### Website 434 | [Software Heritage](https://www.softwareheritage.org/) 435 | #### Summary 436 | Software Heritage collects and preserves software in source code form. "Software embodies our technical and scientific knowledge and humanity cannot afford the risk of losing it." They currently have (18 Feb 2019) some 88 Million projects archived. 437 | 438 | ### Debian Sources 439 | #### Website 440 | [Debian Sources](https://sources.debian.org/) 441 | #### Summary 442 | A source code package repository for debian sources. They also provide an API delivering JSON objects. 443 | 444 | ### mgmtconfig 445 | #### Website 446 | [mgmtconfig](https://github.com/purpleidea/mgmt/) 447 | #### Summary 448 | From GitHub pages: Next generation distributed, event-driven, parallel config management. 449 | 450 | ------------------------------------------------------ 451 | 452 | ## Commercial Tools for Open Source Compliance 453 | For the purposes of the project and this survey, evaluation made on commercial open source tools is largely based on listing known tools. Some evaluation and grouping has been made regarding the advertised amount of specified integrations. All seem to offer a REST API to be used for further integrations. In addition to integrations, security vulnerability scanning seems to be a part of these offerings, either as a product feature or a sister product. The information has been gathered from the respective websites of every commercial tool provider. 454 | 455 | **Extensive integrations (over 15 advertised integrations)** 456 | 457 | [Flexera](https://www.flexera.com/) 458 | [BlackDuck by Synopsys](https://www.blackducksoftware.com/black-duck-home) 459 | [Fossa](https://fossa.com/) 460 | [WhiteSource](https://www.whitesourcesoftware.com/) 461 | [Nexus by Sonatype](https://www.sonatype.com/) 462 | [OpenLogic by Rogue Wave Software](https://www.roguewave.com/) 463 | [TrustSource](https://www.trustsource.io/) 464 | 465 | **Some integrations (5-15 advertised integrations)** 466 | 467 | [CAST Software Intelligence](https://www.castsoftware.com/) 468 | 469 | **Few integrations (1-5 advertised integrations)** 470 | 471 | [Anchore](https://anchore.com/) 472 | 473 | **Integrations not specified** 474 | 475 | [TripleCheck](http://triplecheck.tech/) 476 | [DejaCode by NexB](https://www.nexb.com/index.html) 477 | [FOSSID](https://fossid.com/) 478 | [Insigniary](https://www.insignary.com/) 479 | 480 | ## Development Tooling and Technologies 481 | 482 | ### Request and Incident Management 483 | * Polarion 484 | * Team Foundation Server 485 | * JIRA 486 | * Github/Gitlab/other Git service 487 | 488 | ### Integrated Development Environments 489 | 490 | * Eclipse 491 | * Visual Studio 492 | * Qt Creator 493 | * Netbeans IDE 494 | * JetBrains CLion 495 | * JetBrains GoLand 496 | * JetBrains IntelliJ IDEA 497 | * JetBrains PhpStorm 498 | * JetBrains PyCharm 499 | * JetBrains Rider 500 | * JetBrains RubyMine 501 | * JetBrains WebStorm 502 | * Android Studio 503 | 504 | ### Source Code Management and SCM services 505 | 506 | * SVN 507 | * Git 508 | * GitLab 509 | * Bitbucket 510 | * GitHub 511 | 512 | ### Continuous Integration and Deployment 513 | 514 | * Jenkins 515 | * Team Foundation Server 516 | * Bamboo 517 | * TeamCity 518 | * CircleCI 519 | * Azure DevOps (ent. Team Services) 520 | * Travis CI 521 | * GitLab CI 522 | * Concourse 523 | * AWS CodeBuild 524 | * Codeship 525 | * Drone.io 526 | * wercker 527 | * Go.CD 528 | * Semaphore 529 | * Appveyor 530 | * Buildkite 531 | * Ansible 532 | * Puppet 533 | 534 | ### Build Tools, Frameworks and Dependency Management 535 | 536 | * Cmake 537 | * Yocto / OpenEmbedded 538 | * BitBake 539 | * Visual Studio 540 | * Apache Maven 541 | * Gradle 542 | * npm 543 | * yarn 544 | * pip / pipenv 545 | * Conda 546 | * Composer 547 | * sbt 548 | * Make 549 | * Apache Ant 550 | * Webpack 551 | 552 | ### Package Indexes and Repositories 553 | 554 | * Go Search 555 | * npm registry 556 | * Packagist (the PHP Package Repository) 557 | * Maven repositories 558 | * PyPI (Python Package Index) 559 | * RubyGems.org 560 | * NuGet 561 | * Bower 562 | * CPAN 563 | * Cargo (crates.io) 564 | * "PEAR (PHP Extension and Application 565 | * Repository)" 566 | * PlatformIO registry 567 | * Nexus Repository 568 | * JFrog Artifactory 569 | 570 | ### Document Management 571 | 572 | * Flowdock 573 | * Confluence 574 | 575 | ### Testing Frameworks 576 | 577 | * Robot Framework 578 | * Cypress 579 | * RedwoodHQ 580 | * Selenium 581 | * Serenity 582 | * Citrus Framework 583 | * TestRail 584 | * qTest 585 | 586 | ### Container Technologies 587 | 588 | * Docker 589 | * Cloud Foundry 590 | * Atomic 591 | * OpenShift 592 | * Kubernetes 593 | 594 | --- 595 | 596 | ## SPDX Implementation 597 | 598 | **(SECTION UNDER WORK)** 599 | 600 | One of the Double Open project's concerns for prospective concepts is the way data management is conducted. The question is, in what form should data be stored and distributed? In this section we reasearch the possibility of SPDX being the common data format. This format has not been challenged and has been widely accepted as the common format by the ecosystem. 601 | 602 | Establishing a common data format for the whole ecosystem allows resources to be allocated on license compliance. Therefore the data format should accurately communicate licensing information and it should make such information available in a consistent, understandable and re-usable way. When information is uniform with information disseminated by other actors in the field, this will reduce redundant work in determining software license information. 603 | 604 | Standard formats allow for tooling to be created for OSS compliance. The more accurate and less prone to interpretation the data format is the more meticulous, efficient and complex tools can be made around such formats. When researching for possible automation of OSS compliance, the requirements for tools advance in all respects especially when the precision of results presented by tools is under scrutiny. The only way to deduce the amount of false positives given by scanning tools e.g. Fossology, is to have a machine and human readable standard data format that has substantal adoption and acknowledgement of the ecosystem. 605 | 606 | **What is SPDX?** SPDX or the Software Package Data Exchange, is an open standard for communicating software bill of material information (including components, licenses, copyrights and security references). It is an initiative hosted by Linux Foundation whose goal is to develop an open standrard format and supporting tools for communicating licenses and copyrights associated with software packages. 607 | 608 | SPDX has developed several pieces of collateral to help solve compliance issues. They have issued the [SPDX License List](https://spdx.org/licenses/), [SPDX Specification](https://spdx.org/spdx-specification-21-web-version) and [Source Identifiers](https://spdx.org/ids) for code. 609 | 610 | **Implementation.** Based on the results of the Short Ecosystem Survey 2019, we have taken three tools/initiatives under scrutiny for this section. These three are: 611 | 1. Fossology; 612 | 2. ScanCode; and 613 | 3. ClearlyDefined. 614 | 615 | ### ScanCode-process 616 | 617 | Scancode is a standalone command line tool written in Python to scan components for licensing information. It does a comparison between a database of license texts and the scanned component. The output of the results can be chosen between JSON, HTML, CSV or SPDX (tag/value and rdf). ScanCode can run on Linux, Mac and Windows. It has a plug in to make license policys. 618 | 619 | ScanCode is a widely integrated tool that can be found as a scanner, for example from OSS Review Toolkit ORT and ClearlyDefined. The use of the tool is normal for the general public and the reports it produces are familiar to many. However, unlike others, ScanCode does not extract files from packed files. This means, that a separate extractions process has to be made with the bundled utility extractcode or other (like unzip). 620 | 621 | The output file has an URL address to the home page, text, and the SPDX page of the license. In addition, the output displays the SPDX short identifier (described as spdx_license_key). ScanCode reads the copyrights more accurately and produces a cleaner outcome than e.g. Fossology, which usually distributes plenty of unnecessary information in connection with the copyright texts. 622 | 623 | Unlike Fossology, ScanCode does not have an UI. This makes data curation errandous and slow. However the AboutCode Manager i.e. ScanCode Workbench is a great utility to assess the findings of a scancode scan in a .json format. 624 | 625 | ### Fossology-process 626 | 627 | Fossology is an open source license compliance software system and toolkit. In the making of this report, we ran fossology as a system through its database and web UI (workflow). It can also be run as a toolkit from command line to perfore license, copyright and export contol scans. This toolkit is also part of its workflow. 628 | 629 | Fossology generates SPDX files or a ReadMe file. It has a version control integrated named deduplication, in which you can scan an entire distro and rescan a newer version and only the changed files will go through rescanning. If scanning is done continuously e.g. when building software, this is a time saving feature. 630 | 631 | Fossology does have issues. For example it gives out -style license flags when licenses are similar but not 100 % equivalent with the original license text. This is not alined with the SPDX spexifications. With Monk (text scanner) and Nomos (regex scanner) scanning tools there is often two license hits within one file of which the other one is a -style license and the other one the original intended license. Fossology also gives imprecise copyright information. It is rather the abundance of information than the lack of, which is an issue in Fossology. This brings up false flags in copyrights and need elaborous cleaning if the curator wants to aggregate a clear endreport. From the perspective of legality regarding a notice file, this is a nonissue. As long as given information is valid and they are at their right spots, the notice creation is successful even though the end result is sloppy. 632 | 633 | Where Fossology stands out compared to the competition is the capability to curate data straight on the web UI with ease. With every scanner there are definitely going to be red flags and otherwise false license findings. In Fossology the curator can conculde license findings straight on the UI and the UI informs the curator, which files are not yet curated. It gives curator an ability to bulk scan the curation curator has confirmed in other files to expedite the curation process. 634 | 635 | Fossologys value is in the easiness of curation process. There will always be issues that where the scanner itself cannot be trusted 100 % and it requires a human to go through them. At these moments the Fossology web UI curation workflow is invaluable. 636 | 637 | ### Material on how the tools work 638 | 639 | Package used: spin.js-2.3.2 640 | 641 | **ScanCode full scan with an output file of .json.** 642 | 643 | ![Scancode-fullscan](/Images/ScanCode/spin.js-2.3.2-scancodefullscan.png) 644 | 645 | **Picture showing what possible results does the ScanCode-Workbench i.e. AboutCode Manager show.** 646 | 647 | ![Scancode-workbench-list](/Images/ScanCode/scancode-shownresults-workbench-spin.js-2.3.png) 648 | 649 | **List of jobs Fossology goes through in the scanning process (Web UI).** 650 | 651 | ![Fossology-jobs](/Images/Fossology/spin.js-2.3.2-fossologyscan.png) 652 | 653 | **The initial results of a Fossology scan.** 654 | 655 | ![Fossology-scan-results](Images/Fossology/spin.js-2.3.2-fossologyscanresults.png) 656 | 657 | --- 658 | 659 | ## Double Open Short Ecosystem Survey 2019 660 | 661 | Double Open launched the Double Open Short Ecosystem Survey 2019 to accumulate real-life factual information from members of the open source ecosystem to investigate the existing landscape, and popularity of open source compliance tools and development tools/technologies as well as open source initiatives. 662 | 663 | The response quantity (28) to the survey was small to medium. However, the purpose of the survey was to explore the potential direction of the software industry and open source compliance. By reaching out to several compliance-related communities, we achieved in getting answers from a group of persons within the industry who represent an interesting insight into the tooling used in and in relation to open source compliance. 61 per cent of the sample group was companies with over 1000 employees. Large companies are de facto influential in the OSS industry and also the ones with the most need for open source compliance. Therefore we deem the Survey to be an overall success and it does give valid information of e.g. integrations to all who wish to develop and contribute in open source. 664 | 665 | Results show that the FOSS tools that received high amounts of mentions from the whole ecosystem are Fossology, ScanCode and SPDX toolkit. These have existed for a long time and have established themselves as primary tools in OSS compliance. Besides, the tools have had the possibility to improve over time to better serve the people and organizations who use them. Also, OSS Review Toolkit (ORT) got several replies even though it has not officially been published. ORT is one of the most automated compliance tools at the moment and will be interesting for the Double Open project. 666 | 667 | The tools that are mentioned above will be in our focus when we accrue information in our concept. 668 | 669 | For the full results and statistics of the survey please go to [Ecosystem Survey 2019](/Ecosystem-Survey-2019). 670 | 671 | ## Voice-of-Customer Workshops 2019 672 | 673 | The Voice-of-Customer workshops were carried out to understand the open source compliance operations of Validos members within their software development and maintenance processes. 674 | 675 | Workshops set out to define the current state and the dream state of the organizations. The results are to complement the development of the Double Open Concept. 676 | 677 | The outcome was two-fold. On one side there was a requirement for enterprises to get an efficient toolchain which automates OSS compliance during the build pipeline of the software. On the other side, there was a requirement for enterprises to efficiently develop the OSS compliance competence of their personnel. Both of the views should be addressed when researching issues and remedies regarding OSS compliance. 678 | 679 | To sum up, we can see that the problems of OSS compliance within organizations fall into two categories. Firstly, compliance is considered difficult, laborious and time-consuming for the lack of a toolchain that could manage everything required for the software release to be compliant. Secondly, compliance is disregarded due to lack of motivation (i.e. not understanding the importance) or the lack of competence to assess compliance information. 680 | 681 | Double Open project will research ways to amend the said issues. The research will be accrued into the concept design of Double Open. The project aims to complete a proof of concept of both issues separately. 682 | 683 | For the underlying report of the work package regarding Voice-of-Customer workshops, please see [Voice-of-Customer Workshops](/Voice-of-Customer-Workshops). 684 | --------------------------------------------------------------------------------