First this talk explores the various options regarding FOSS detection, how this process can be integrated in the "software factory", and how the results can be displayed in a usable and efficient way, using different tools freely available to the open source communities like FOSSology and Antepedia Tools Suite. Secondly, we will give some example of license data that can be collected from many open source projects and show how it can be useful for communities to adopt standard like SPDX (Software Package Data Exchange), which will be presented briefly.

1. Tools for developers to ensure legal
integrity of their code
Freddy Munoz, PhD freddy.munoz@antelink.com
Product Manager, Antelink. @drfmunoz
Bruno Cornec
Open Source & Linux Profession Bruno.Cornec@hp.com
Lead EMEA, HPIntelCo.

2. The context

3. The problem
are you sure that you In your product
know everything…?
???
compile
test
analysis
integration test
package Product
Build Engineer Final product
???
In your BoM
license?
version?
project? are you sure that you
are license compliant?
3

4. Available compliance tools
(non-exhaustive list)
Antepedia Antepedia
Antepedia
Notifier Notifier
Reporter
Source code Binary package
Source http://www.linuxfoundation.org/programs/legal/compliance/tools
4

5. Antepedia Tool Suite
5

6. Antepedia Tool Suit
Antepedia 940 000 projects
Knowledge
210 000 000 files
Base
Public API
Antepedia* Antepedia*
Notifier Reporter
Antepedia**
Search
** free public access 6
* free for non-profit projects and organizations

7. Antepedia Search
Single
file Cloud service
Web-browser report
Original project
License information
Release date and location
7

8. Antepedia Reporter
my.antepedia.com Antepedia — the world’s
Largest Knowledge Base of
open source projects
1. HTML file
Export
Antepedia Reporter 2. CSV File
Analysis
Automated On-demand Detection of Open
Source Components
8

9. 9

10. Antepedia Notifier
Antepedia, the world’s
my.antepedia.com largest database of
open source projects
Continuous detection
1. By MAIL
Notification
2. Through
Antepedia Notifier
Atlassian JIRA
Automated Continuos Detection of
Open Source Components
10

11. FOSSology - Goal
FOSS-ology : The study of FOSS
The goal of the FOSSology project is create
tools and a framework to reduce fear,
uncertainty, and doubt in the use,
development, and distribution of open source
software.
FOSSology is a static analysis framework to
learn what we can by scanning FOSS itself.
Analyze the code, save the results in a
database, report results through a Web (or
scripted) interface.

12. A Simple FOSSology Process Flow
o Scan every single file in a package (or distro, or …)
o Fuzzy match against a library of > 400 known
licenses.
o Examine the non-matching portions looking for text
that could be an unknown license.
o Nomos, the now GPLed license analysis tool, is
the result of 10+ years of scanning @HP

13. File upload screenshot

14. Queue management screenshot

15. License analysis screenshot

16. Meta data analysis screenshot

17. Bucket browser screenshot

18. Architecture

19. Web Resources
FOSSOlogy main site
http://www.fossology.org
Mailing Lists, contacts
http://fossology.org/contact_us
Plume details
http://www.projet-plume.org/fiche/fossology
Project-Builder
http://trac.project-builder.org
Open Source at HP
http://opensource.hp.com
ProLiant & Linux
http://www.hp.com/go/proliantlinux “The evolution of FLOSS
FOSSology users: HP, ALU, Siemens, and the Internet are
INRIA, OW2
tightly coupled”

20. SPDX: Handling Heterogeneous
Licenses
20

21. 21

22. Inconsistent
License
Information (1/2)
http://sourceforge.net/projects/jwebmail/
http://jwebmail.sourceforge.net/about.html
http://jwebmail.sourceforge.net/news.html
22

23. Inconsistent
Source http://sourceforge.net/projects/winpenpack/
License
Information (2/2)
Source http://www.winpenpack.com/en/page.php?5
23

24. 24

25. SPDX: Standardization
SPDX™ - A standard format for
communicating the components,
licenses and copyrights
associated with a software
package.
25

26. 26

27. ???
27