(Trust Goal) Manage software dependencies

Description

A dependency identification program looks for the dependencies actually used within the codebase. As a result, the organisation must establish and maintain a list of known dependencies for its code base and watch the evolution of the identified providers.

Establishing and maintaining a list of known dependencies is an enabler for, and a prerequisite to:

• IP and license checking: some licenses cannot be mixed, even as a dependency. One has to know its dependencies to assess its associated legal risks.
• Vulnerabilities management: the entire piece of software is as weak as its smallest part: see the example of the Heartbleed flaw. One has to know its dependencies to assess its associated security risks.
• Lifecycle and sustainability: an active community on the dependency project is a bright sign for bug corrections, optimisations, and new features.
• Thoughtful selection of used dependencies, according to "maturity" criteria - the goal being to use open source components that are safe, with a sane and well-maintained codebase, and a living, active and reactive community that will accept external contributions, etc.

Opportunity Assessment

Identifying and tracking dependencies is a required step to mitigate the risks associated with any code reuse. In addition, implementing tools and processes to manage software dependencies is a prerequisite to properly manage quality, compliance, and security.

Consider the following questions:

• What is the company's risk (cost, reputation, etc.) if the software is corrupted, attacked or sued?
• Is the code base considered critical for people, the organisation, or business?
• What if a component upon which an application depends changes its repository?

The minimal and first step is to implement a software composition analysis (SCA) tool. Support by specialised consulting firms may be required for a full-fledged SCA or dependency mapping.

Progress Assessment

The following verification points demonstrate progress in this activity:

• Dependencies are identified in all in-house developed code.
• Dependencies are identified in all external code executed within the company.
• An easy-to-setup software composition analysis or dependency identification procedure is available for projects to add to their Continuous Integration process.
• Dependency analysis tools are used.

Tools

• OWASP Dependency check: dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
• OSS Review Toolkit: a suite of tools to assist with reviewing Open Source Software dependencies.
• Fossa: fast, portable and reliable dependency analysis. Supports licence & vulnerability scanning. Language-agnostic; integrates with 20+ build systems.
• Software 360.
• Eclipse Dash license tool: takes a list of dependencies and requests ClearlyDefined to check their licences.

Recommendations

• Conduct regular audits about the dependencies and IP requirements to mitigate legal risks.
• Ideally, integrate dependencies management in the Continuous integration process so that issues (new dependency, licence incompatibility) are identified and fixed as soon as possible.
• Keep track of dependency-related vulnerabilities, keep users and developers informed.
• Inform people about the risks associated with wrong licencing.
• Propose an easy solution for projects to set up licence checking on their codebase.
• Communicate on its importance and help projects to add it to their CI systems.
• Set up a visible KPI for dependency-related risks.

Resources

• Existing OSS-licenced OSS licence compliance tools group page.
• The FOSSology Project. An up-to-date introduction to FOSSology and FOSS compliance by the Linux Foundation.
• Free and Open Source Software licence Compliance: Tools for Software Composition Analysis, by Philippe Ombredanne, nexB Inc.
• Software Sustainability Maturity Model.
• CHAOS: Community Health Analytics Open Source Software.