(Trust Goal) Manage software dependencies
A dependency identification program looks for the dependencies actually used within the codebase. As a result, the organisation must establish and maintain a list of known dependencies for its code base and watch the evolution of the identified providers.
Establishing and maintaining a list of known dependencies is an enabler for, and a prerequisite to:
- IP and license checking: some licenses cannot be mixed, even as a dependency. One has to know its dependencies to assess its associated legal risks.
- Vulnerabilities management: the entire piece of software is as weak as its smallest part: see the example of the Heartbleed flaw. One has to know its dependencies to assess its associated security risks.
- Lifecycle and sustainability: an active community on the dependency project is a bright sign for bug corrections, optimisations, and new features.
- Thoughtful selection of used dependencies, according to "maturity" criteria - the goal being to use open source components that are safe, with a sane and well-maintained codebase, and a living, active and reactive community that will accept external contributions, etc.
Identifying and tracking dependencies is a required step to mitigate the risks associated with any code reuse. In addition, implementing tools and processes to manage software dependencies is a prerequisite to properly manage quality, compliance, and security.
Consider the following questions:
- What is the company's risk (cost, reputation, etc.) if the software is corrupted, attacked or sued?
- Is the code base considered critical for people, the organisation, or business?
- What if a component upon which an application depends changes its repository?
The minimal and first step is to implement a software composition analysis (SCA) tool. Support by specialised consulting firms may be required for a full-fledged SCA or dependency mapping.
The following verification points demonstrate progress in this activity:
Dependencies are identified in all in-house developed code.
Dependencies are identified in all external code executed within the company.
An easy-to-setup software composition analysis or dependency identification procedure is available for projects to add to their Continuous Integration process.
Dependency analysis tools are used.
- OWASP Dependency check: dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
- OSS Review Toolkit: a suite of tools to assist with reviewing Open Source Software dependencies.
- Fossa: fast, portable and reliable dependency analysis. Supports licence & vulnerability scanning. Language-agnostic; integrates with 20+ build systems.
- Software 360.
- Eclipse Dash license tool: takes a list of dependencies and requests ClearlyDefined to check their licences.
- Conduct regular audits about the dependencies and IP requirements to mitigate legal risks.
- Ideally, integrate dependencies management in the Continuous integration process so that issues (new dependency, licence incompatibility) are identified and fixed as soon as possible.
- Keep track of dependency-related vulnerabilities, keep users and developers informed.
- Inform people about the risks associated with wrong licencing.
- Propose an easy solution for projects to set up licence checking on their codebase.
- Communicate on its importance and help projects to add it to their CI systems.
- Set up a visible KPI for dependency-related risks.
- Existing OSS-licenced OSS licence compliance tools group page.
- The FOSSology Project. An up-to-date introduction to FOSSology and FOSS compliance by the Linux Foundation.
- Free and Open Source Software licence Compliance: Tools for Software Composition Analysis, by Philippe Ombredanne, nexB Inc.
- Software Sustainability Maturity Model.
- CHAOS: Community Health Analytics Open Source Software.