Falcon Invoice Discounting: The best investment platform in india for investors
Social Code Scanning
1. Social Code Scanning
2017-05-24 Barcelona
Maurizio Pillitu
Devops Director, Symphony Software Foundation
@maoo maoo@symphony.foundation
Analysing code, together
2. Social Code Scanning - our first event!
✓ What is it
Hands-on-code Workshop to analyse quality, security and legal aspects of your
code
Quick intro on how to analyse and measure
Networking, pizza and beers are on us
✓ Who’s behind
Organised by the Symphony Software Foundation
Hosted by CodeWorks Barcelona
✓ Requirements - none
1/23
3. The Symphony Software Foundation
✓ Non-profit organisation to foster an open source community and
developer ecosystem for the financial services
✓ Leverages Symphony* and other open source platforms to drive
inter-firm collaboration
✓ Open
Governance - Board of Directors, Engineering Steering Committee
Standards - Working Groups
Source - github.com/symphonyoss
2/23
4. Today’s takeaways
1. Understand
If/when to analyse your code
Common scenarios
2. Try
Analysing your code
Commonly adopted tools
3. Ask
Share doubts, questions
3/23
5. Why analyze code?
1. To know your codebase
Your code is a puzzle, few tiles are actually made by you
Code modularity constantly increases (more, smaller tiles)
Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits
Open source constitutes a massive tile repository, publicly available
2. Your customers (or consumers) deserve to know
Nobody wants to consume unsecure/buggy code
Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries
cannot afford quality/security/legal exposure #dealbreaker
4/23
11. Why measure quality?
1. Know when quality lowers (and where)
2. Say bye to regressions
3. Focus on (new) code #boostproductivity
4. ....
8/23
12. What to measure
1. Project
Activity
Commits (codebase activity)
Bugs - Opened VS Fixed
Inter-firm collaboration #bus-factor
Documentation
User manual
Installation manual
Roadmap
9/23
13. How to measure
1. One-off (manual) scanning
Read your code
Know your libraries
Follow guidelines
2. Automated/continuous scanning
BlackDuck
WhiteSource
SonarQube
10/23
15. Why care about legal compliance?
1. Respect the rights of open source contributors
a. Appropriate attribution
b. Reciprocal (copyleft) licensing requirements
2. Avoid intellectual property infringement
a. Copyrights
b. Patents
3. Demonstrate due diligence (aka build trust)
a. Targeted for highly regulated industries #consumption #contribution
11/23
16. What to measure
1. Outbound - choose the right license
a. Proprietary
b. Open source
i. Permissive
ii. Copyleft
iii. Weak copyleft
iv. Public domain
2. Dependencies Inbound (for bundled software)
12/23
17. How to measure
1. One-off (manual) scanning
Read your code
Know your libraries
2. Automated/continuous scanning
BlackDuck / OpenHub
Fossa
WhiteSource
VersionEye
13/23
18. Open source common misunderstandings
1. It’s public in github, no license is defined, ergo it’s open source
■ Quite the opposite, as no license defaults to "all rights reserved", including use and
redistribution for personal and commercial purposes
2. No license is defined… contributions are welcome!
■ Without a contribution policy, license sets the terms for collaboration
3. I defined a LICENSE file, I’m fine
■ If you use dependencies, you must check their licenses and make sure it doesn’t
conflict with your outbound license
4. I have 2 direct dependencies and their license is ok, I’m fine
14/23
20. General remarks
1. Keep it simple
2. Understand requirements
3. Manage expectations
4. Use the right tool….
Useful resources
symphonyoss.atlassian.net/wiki
choosealicense.com
15/23