(Trust Goal) Manage software dependencies
Description
Identifying and tracking dependencies is a required step to mitigate the risks associated with any code, may it be written either by oneself (some time ago) or by other people:
- IP and licensing: some licences cannot be mixed, even as a dependency.
- Vulnerabilities: the full piece of software is as weak as its smallest part. See Heartbleed.
- Lifecycle and sustainability: an active community on the dependency project is a bright sign for bug corrections, optimisations, and new features.
A dependency identification program looks for the dependencies actually used within the codebase. This is useful to assess the current situation regarding external code, licencing, IP requirements, and allows to identify and manage dependency-related vulnerabilities.
Opportunity Assessment
- What is the risk (cost, reputation, etc.) for the company if the software is corrupted, attacked or sued?
- Is the codebase considered critical for people, the organisation, or business?
Progress Assessment
- Question: Are dependencies identified in all in-house developed code?
- Question: Are dependencies identified in all external code executed within the company?
- Question: Is there an easy-to-setup software composition analysis or dependency identification procedure available for projects to add to their Continuous Integration process?
Tools
- OWASP Dependency check Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
- OSS Review Toolkit A suite of tools to assist with reviewing Open Source Software dependencies.
- FOSSology
- Fossa Fast, portable and reliable dependency analysis. Supports license & vulnerability scanning. Language-agnostic; integrates with 20+ build system
- Software 360
- Eclipse Dash license tool takes a list of dependencies and requests ClearlyDefined to check their licenses.
Recommendations
- Conduct regular audits about the dependencies and IP requirements to mitigate legal risks.
- Ideally, integrate dependencies management in the Continuous integration process so that issues (new dependency, license incompatibility) are identified and fixed as soon as possible.
- Keep track of dependency-related vulnerabilities, keep users and developers informed.
- Inform people about the risks associated with bad licencing.
- Propose an easy solution for projects to setup licence checking on their code base.
- Communicate on its importance and help projects to add it in their CI systems.
- Setup a visible KPI for dependency-related risks.
Resources
- Existing OSS-licensed OSS license compliance tools group page
- The FOSSology Project: An introduction
- The FOSSology Project. An up-to-date introduction to FOSSology and FOSS compliance by the Linux Foundation
- Free and Open Source Software License Compliance: Tools for Software Composition Analysis, by Philippe Ombredanne, nexB Inc.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information