(Trust Goal) Run open-source reviews
Description
A key element of an open-source compliance program is an open-source review process. It means that open-source resources and internal code are regularly audited and reviewed to assess their security and IP & licensing compliance. Open-source reviews can be conducted at specific quality gates (e.g. when a 3rd-party piece of code enters the company), or be integrated into the software development process.
Reviews should cover (may involve multiple sub-reviews):
- Potential breaches of license compliance.
- Staffing: is the code maintained by staff/contractor, community, intermediary (e.g. Tidelift), no one?
- Check open CVEs against this software and its dependencies, and other security-related weaknesses caused by reusing existing open-source third-party components.
- Assess patent risks.
- Variance of the above according to localization/territory of use.
These open-source reviews explicitly refer to activities #23 and #24 and shall be a required step for all project compliance validations.
Opportunity Assessment
Reviews are valuable inbound (when a new open source project is added to the organizational inventory) and outbound (when code is contributed upstream, sent downstream to a distribution, or shipped to a customer/market). They can be associated with the code reviewing process or set up as standalone audits.
This activity becomes essential when:
- The organization acquires or takes ownership of software assets.
- The organization releases a product or service.
- There is a known security or compliance risk identified in a piece of software.
Progress Assessment
The following verification points demonstrate progress in this Activity:
-
Open source review is recognized as a necessary step. -
Open source reviews are planned, either regularly or at key events (e.g. when introducing dependencies, acquiring new assets, or releasing a product). -
A process for conducting open-source reviews has been collectively defined and accepted.
Tools
- The majority of review tasks should be carried out automatically by CI/CD. Dedicated tools and plugins exist for all major CI/CD engines.
- Check tools from activities #22 and #23.
Recommendations
- Set up automatic checks that development teams can easily use. Try to lower the barrier to such reviews by providing easy access to a known service, either inside or outside of the organization.
- Open-source review is a collective task that works better in good collaboration.
- Open-source reviews imply assessing and understanding the various use cases of the product (public distribution, distribution to customers, internal use) and its architecture (Front-end, Back-end, SAAS, embedded, Mobile).
Resources
- This activity was inspired by the OpenChain training curriculum reference training slides.