The document discusses the importance of open source scanning in software management, highlighting the various risks associated with unmanaged open source code, such as licensing, security vulnerabilities, and quality issues. It emphasizes that not all open source scans are equal, suggesting that trade-offs in depth and accuracy depend on specific scenarios and requirements, particularly during M&A due diligence. The document also outlines strategies for effective open source management, including the need for thorough audits and the integration of manual and automated analysis techniques.

1. © 2019 Synopsys, Inc. 1
Why All Open Source Scans Aren’t Created Equal
Emmanuel Tournier, Senior Manager, Black Duck Audits
Phil Odence, General Manager, Black Duck Audits

2. © 2019 Synopsys, Inc. 2
Speakers
Phil Odence
General Manager
Black Duck Audits
Emmanuel Tournier
Senior Manager
Black Duck Audits

3. © 2019 Synopsys, Inc. 3
Agenda
Open Source Scanning and Risk Basics
Solutions and Tradeoffs
Real World Examples
Conclusions and Q&A

4. © 2019 Synopsys, Inc. 4
Open Source Scanning and Risk Basics

5. © 2019 Synopsys, Inc. 5
The Value of Open Source is Clear
Accelerates time to market
Frees developers to work on other tasks
Reduces development costs

6. © 2019 Synopsys, Inc. 6
So open source is often unchecked, resulting in risks
Codebase
Commercial
third-party code
Purchasing
• Licensing?
• Security?
• Quality?
• Support?
Open source
OPERATIONAL FACTORS
Which versions of code are being used,
and how old are they (dead projects)?
LEGAL RISK
Which licenses are used, and do they
match anticipated use of the code?
SECURITY RISK
Which components have
vulnerabilities, and what are they?
Management
visibility—not!

7. © 2019 Synopsys, Inc. 7
What we find in Black Duck Open Source Audits…
Source: 2019 Annual Open Source Security and Risk Assessment
of the 2018 audited
code analyzed was
open source
of the audited
codebases contained
license issues
of the audited
codebases
contained
vulnerabilities
"...many open-source assets
are either undermanaged or
altogether unmanaged …."
-Gartner, 2017

8. © 2019 Synopsys, Inc. 8
Requirements for World-Class OSS Management
• Strategy
– The business objectives for use of OSS
• Policy
– Usage rules
• Process
– How managed
• Technology
– Automated governance and compliance
– Including scanning

9. © 2019 Synopsys, Inc. 9
Solutions and Tradeoffs

10. © 2019 Synopsys, Inc. 10
Concept
• All open source scans shouldn’t be created equal
– Engineering tradeoffs are based on requirements

11. © 2019 Synopsys, Inc. 11
This Photo by Unknown Author is
licensed under CC BY-SA-NC
The Spectrum of Open Source Scans
Tools
Other Tools
Tools
Auditor
Automated
Tool
Human
w/tools

12. © 2019 Synopsys, Inc. 12
The way of the world…
Human Effort
Depth and
Accuracy of
Analysis

13. © 2019 Synopsys, Inc. 13
So what’s the right tradeoff?
• It depends…
• On the scenario
– Risk Tolerance
– Use Case
– Issues/Requirements
– Resources
• More risk and specific needs require
deep/accurate analysis
This Photo by Unknown Author is licensed under CC BY-NC

14. © 2019 Synopsys, Inc. 14
M&A is Risky Business
• Reputations and fortunes on the line on both sides
• "...many open-source assets are either undermanaged or
altogether unmanaged once established within an IT
portfolio.” (Gartner)
• And even more so for smaller companies
• Deeper pockets may draw fire
• OSS questions have gone from unusual to being the norm
in tech due diligence

15. © 2019 Synopsys, Inc. 15
Typically M&A Due Diligence Demands Depth & Accuracy
Human Effort
Depth and
Accuracy of
Analysis
M&A
Audit
Typical
Automated
Solution

16. © 2019 Synopsys, Inc. 16
Accuracy
• Getting the BoM “right
– Complete/Correct
• Range of Techniques
– Examples:
– Finding declarations in build files
– Recognizing Binary Signatures
– String Search
– Human Inspection
• Each finds some open source
– Some find other 3rd party
• The Best Technique
– …all of the above

17. © 2019 Synopsys, Inc. 17
Depth of Analysis and Use Case
• Levels of software composition
– Component
– File
– Source Code Snippets
• License Compliance vs. Security Use Case
– Open Source Licenses
– Apply at source level
– Vulnerabilities
– Apply at component level

18. © 2019 Synopsys, Inc. 18
Example of a problematic license: GPL v.2
GPL v.2
(Section 2. b.)
You must cause any work that you distribute or publish, that in whole or in part contains or is derived from
the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms
of this license.
GPL v.2
(Section 3)
You may copy and distribute the Program (or a work based on it) in object code or executable form … provided that you
also do one of the following:
• accompany it with the complete corresponding machine-readable source code … on a medium customarily used for
software interchange; or,
• accompany it with a written offer … to give any third party, for a charge no more than your cost of physically performing
source distribution, a complete machine-readable copy of the corresponding source code.

19. © 2019 Synopsys, Inc. 19
Other Considerations
M & A Due Diligence Internal Management
Nature of Analysis One-time snap shot Dynamic
Code Access Generally, remote via trusted 3rd
Party
Integration with SDLC
Timing Quick turnaround Deployed, On-Going
Credibility Important for multiple parties Built and tuned over time
Reporting Easily shareable format Application with user roles

20. © 2019 Synopsys, Inc. 20
Real World Examples

21. © 2019 Synopsys, Inc. 21
Code analysis engine—binary and source code
Dependency analysis
• Detects dependencies inside libraries, executables,
jars, classes, dll’s, etc.
• Import/include statements
Archives*
• Descends into archives such as zip, jar, and tar
files, and recursively performs source and binary
analysis
Exact file matching
• KB contains libraries, class files, binaries, archives, and
images
Snippet matching
KB contains hundreds of millions of code prints to detect
matches down to the snippet level
• Detects matches of components, files, and code fragments
(finds reused code even when altered)
• Language independent
Integrated string search
• Enables targeted license and copyright searches
• Finds licenses, copyrights, URLs, company names, user
comments (“taken from”), etc.
File pattern name matching
• Customize file types to include/exclude in scans
* Many archives are redundant
or unnecessary to scan, and
inclusion can affect the audit
cost. Please verify that they are
in scope for your engagement.

22. © 2019 Synopsys, Inc. 22
Manual analysis benefits vs. automated scan
• Manual review of source code matches: achieve better accuracy than
automated scan
• Snippet matches: discover modified 3rd party source files
• String searches: discover 3rd party components that are not in the KB:
• StackOverflow.com / StackExchange, gist.github.com, MSDN …
• New or little known source code from blogs / personal websites
• 3rd party commercial code
• Manual inspection of libraries or executables with no match against the
KB

23. © 2019 Synopsys, Inc. 23
Example #1: manual review allows better accuracy

24. © 2019 Synopsys, Inc. 24
Example #2: snippets

25. © 2019 Synopsys, Inc. 25
Example #3: string searches

26. © 2019 Synopsys, Inc. 26
Example #4: precompiled libs or executable
• Using custom tool to extract binary file data, we are able to find 3rd party commercial or recompiled
open source content

27. © 2019 Synopsys, Inc. 27
Conclusions and Q&A

28. © 2019 Synopsys, Inc. 28
So what kind of scan do you need?
• Internal Management
– Simple
– Integrated
– Dynamic
• M&A Due Diligance
– Typically 3rd party
– Accurate
– All OSS
– Other 3rd Party
– Deep
– Other 3rd Party
– Snapshot
© 2019 Synopsys, Inc. 24
So what kind of scan do you need?
• Internal Management
– Simple
– Integrated
– Dynamic
• M&A Due Diligance
– Typically 3rd party
– Accurate
– All OSS
– Other 3rd Party
– Deep
– Other 3rd Party
– Snapshot

29. Thank You