The FASTEN project wants to support DevOps teams and help developers tracking, managing and mastering dependencies. FASTEN’s goal is to develop a toolchain that is provisioning and collecting project information, security alerts, and repositories from well-known and widely used services. It merges this information into a data stream, performs analysis, stores it, and, consequently, builds a call-graph for each analyzed project. The gathered information is made available through a REST API and Web UI and performs continuous integration to provide developers with updated and sanitized versions of their dependencies. One part of this toolchain will be an Open Source license analysis. This analysis should perform a verification and compatibility check on licenses used in Open Source projects and facilitate development from a user perspective as well as create industry-relevant information on license infringements. This functionality shall be presented in this talk. FASTEN has received funding from the European Union's Horizon 2020 research and innovation programme. It is carried out by a Consortium composed of AUEB, TUDelft, University of Milan-Bicocca, Endocode, OW2, SIG, and XWIKI.

1. OSS License compliance within
the FASTEN Project
Michele Scarlato
michele.scarlato@endocode.com
OSS 2021, May 2021

2. Content
● Open Source Software (OSS)
○ Package Management.
○ Package Dependency Networks (PDNs)
○ OSS License compliance
○ Issues related to OSS distribution
● The FASTEN Project
○ Main goals
○ Overall Architecture
○ OSS License Detection and Compliance with Fasten

3. Open Source Software
● Allows code reutilization.
● Simultaneously reducing development and maintenance
costs.
● Being hosted on centralized:
● repositories:
○ e.g., GitHub, BitBucket, …
● and forges:
○ e.g., Maven, PyPi, …
OSS development and utilization, driven by its collaborative nature,
gives life to a software ecosystem worldwide populated.

4. Package Management Systems
● Package Management Systems are widely used for version
consistency provisioning during package installation or
removal.
○ Deciding which version is chosen for each library.

5. Package Management Systems

6. Package Dependency Networks (PDNs)
● PDNs are composed by packages
and their dependencies.
● Package versions and
dependencies increase network
size and complexity.
○ Generating complex
graphs

7. OSS License Compliance
● How do I know that I am not violating anyone’s copyrights or that I am not
linking against code featuring incompatible licenses?
● Accurately selecting open source components imply considering licensing
issues, narrowing down your search by examining whether the project’s
license is compatible with your business model, mission, or other software
that you are using (Spinellis Diomidis, 2019 )
● A recent study[1] on license documentation found that fewer than 5% of
approximately 5,000 popular free and open source packages contained
complete and unambiguous license documentation (Ombredanne
Philippe, 2020)

8. Issues related to OSS distribution
Package maintainers are often providing their source code for free.
● Impact on code modification, e.g., deprecating and adding features, cannot be
easily assessed.
● Small and large corporations use many OSS packages, and they do not pay
maintainers. What would motivate them to maintain their code updated?
● How can they spot instances of code distributed without permission?
● A few incidents (e.g., Left-pad, Equifax) have shown how removing one library
from an ecosystem or not caring about vulnerabilities on a specific package
version could bring down a considerable network size or generate a huge
money loss.

9. The FASTEN Project
● Fine-Grained Analysis of SofTware Ecosystems as Networks
○ Goal: support DevOps teams and help developers tracking, managing and
mastering dependencies.
● Part of the EU H2020-ICT-2018-2020 Program
● A Consortium composed of:

10. Main goals
● Create an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function
level
○ Increasing software ecosystems robustness by making package
management more intelligent
● Provide fully precise
○ usage analysis:
■ Does this vulnerability affect my code?
■ Am I linking to GPL code?
○ impact analysis:
■ How many clients will I break if I change this?
■ Can I safely update?

11. The FASTEN Knowledge Base
architecture

12. The FASTEN Knowledge Base Dataflow

13. OSS License Detection and Compliance
within Fasten
1. “Repository cloned”
License
detector
2. Start license
detection
Knowledge
Base
3. Detected
licenses
LCV
5. Verify
compliance
4. “Licenses
detected”
6. Retrieve inbound licenses
8. Compliance
information
7. Compliance
verifier

14. OSS License Detection
● This phase builds the project to figure out those licenses
that effectively end up in the package, collecting them.
● As output, this phase will augment Fasten Knowledge
Base with the detected licenses.
● One of the aims is the detection of dependencies licenses,
which are called Inbound licenses.
● Another is identifying the license under which the scanned
project is released, which is called Outbound license.

15. ● After retrieving inbound licenses and the outbound, the
validation phase consists of running an algorithm that
performs a compatibility check, comparing each inbound
license against the outbound license.
● These compatibility rules are stored in a Compatibility
Matrix.
● The output of this phase is a compatibility assessment that
will augment the Fasten Knowledge Base.
OSS License Validation

16. OSS License Compatibility Graph

17. OSS License Compliance Verifier (LCV) input/output examples
● Docker execution of Flask implementation
● API Endpoints
collection page

18. OSS License Compliance Verifier (LCV) input/output examples
● CompatibilitySPDXFlag API endpoint
● CompatibilitySPDXFlag
output

19. OSS License Compliance Verifier (LCV) input/output examples
● CompatibilitySPDX API endpoint
● CompatibilitySPDX
output

20. OSS License Compliance Verifier integration with Maven
architecture

21. LCV in CI/CD with GitHub actions

22. LCV in CI/CD with Jenkins

23. LCV in CI/CD with Jenkins/GitHub and Postman API tests -
using Newman

24. [1] P. Ombredanne and D. Clark, “What is the state of open source license clarity?” ClearlyDefined,
Apr. 26, 2019. [Online]. Available:
https://github.com/clearlydefined/license-score/blob/master/ClearlyDefined%20-%20ClearlyLicensed%
20clarity%20report-2019.pdf
[2] Ombredanne, Philippe. "Free and open source software license compliance: tools for software
composition analysis." IEEE Annals of the History of Computing 53.10 (2020): 105-109.
[3] Spinellis, Diomidis. "How to select open source components." Computer 52.12 (2019): 103-106.
Link to a video of the GitHub actions execution.
Link at the video presentation
References