Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • G ggi-castalia
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 25
    • Issues 25
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Releases
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • OSPO AllianceOSPO Alliance
  • ggi-castalia
  • Issues
  • #23
Closed
Open
Issue created Feb 19, 2021 by Cedric Thomas@cedricDeveloper0 of 4 checklist items completed0/4 checklist items

(Trust Goal) Manage software dependencies

Description

A dependency identification program looks for the dependencies actually used within the codebase. As a result, the organisation must establish and maintain a list of known dependencies for its code base and watch the evolution of the identified providers.

Establishing and maintaining a list of known dependencies is an enabler for, and a prerequisite to:

  • IP and license checking: some licenses cannot be mixed, even as a dependency. One has to know its dependencies to assess its associated legal risks.
  • Vulnerabilities management: the entire piece of software is as weak as its smallest part: see the example of the Heartbleed flaw. One has to know its dependencies to assess its associated security risks.
  • Lifecycle and sustainability: an active community on the dependency project is a bright sign for bug corrections, optimisations, and new features.
  • Thoughtful selection of used dependencies, according to "maturity" criteria - the goal being to use open source components that are safe, with a sane and well-maintained codebase, and a living, active and reactive community that will accept external contributions, etc.

Opportunity Assessment

Identifying and tracking dependencies is a required step to mitigate the risks associated with any code reuse. In addition, implementing tools and processes to manage software dependencies is a prerequisite to properly manage quality, compliance, and security.

Consider the following questions:

  • What is the company's risk (cost, reputation, etc.) if the software is corrupted, attacked or sued?
  • Is the code base considered critical for people, the organisation, or business?
  • What if a component upon which an application depends changes its repository?

The minimal and first step is to implement a software composition analysis (SCA) tool. Support by specialised consulting firms may be required for a full-fledged SCA or dependency mapping.

Progress Assessment

The following verification points demonstrate progress in this activity:

  • Dependencies are identified in all in-house developed code.
  • Dependencies are identified in all external code executed within the company.
  • An easy-to-setup software composition analysis or dependency identification procedure is available for projects to add to their Continuous Integration process.
  • Dependency analysis tools are used.

Tools

  • OWASP Dependency check: dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
  • OSS Review Toolkit: a suite of tools to assist with reviewing Open Source Software dependencies.
  • Fossa: fast, portable and reliable dependency analysis. Supports licence & vulnerability scanning. Language-agnostic; integrates with 20+ build systems.
  • Software 360.
  • Eclipse Dash license tool: takes a list of dependencies and requests ClearlyDefined to check their licences.

Recommendations

  • Conduct regular audits about the dependencies and IP requirements to mitigate legal risks.
  • Ideally, integrate dependencies management in the Continuous integration process so that issues (new dependency, licence incompatibility) are identified and fixed as soon as possible.
  • Keep track of dependency-related vulnerabilities, keep users and developers informed.
  • Inform people about the risks associated with wrong licencing.
  • Propose an easy solution for projects to set up licence checking on their codebase.
  • Communicate on its importance and help projects to add it to their CI systems.
  • Set up a visible KPI for dependency-related risks.

Resources

  • Existing OSS-licenced OSS licence compliance tools group page.
  • The FOSSology Project. An up-to-date introduction to FOSSology and FOSS compliance by the Linux Foundation.
  • Free and Open Source Software licence Compliance: Tools for Software Composition Analysis, by Philippe Ombredanne, nexB Inc.
  • Software Sustainability Maturity Model.
  • CHAOS: Community Health Analytics Open Source Software.
Edited Mar 26, 2022 by Pierre-Yves Gibello
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking