Being proactive is critical as it can significantly reduce the length of the due diligence process. Studies show that the longer the due diligence process lasts, the higher the chances that the deal doesn’t get signed or the deal value is significantly reduced.
Open source due diligence is a crucial part of your software due diligence. In many organizations, it is a time consuming process because most companies do not have the required visibility into their open source dependency usage.
Open source audits provide a risk assessment of the open source components in your software with the following reports:
Open source inventory (BoM) – This report provides a comprehensive list of open source components in your software and their open source licenses. It includes all direct and transitive dependencies since a transitive dependency may have a different, more restrictive license or an incompatible one. An incomplete or inaccurate list signals you’re not on top of your game and will likely trigger further investigation.
License compliance risk assessment – This report helps the investor/acquiring team verify that the licenses of the components you use don’t threaten your company’s intellectual property. It also ensures that the way you use your components is compliant with the investor team’s license requirements.
Security vulnerability risk assessment – This report shows the current status of all outdated or vulnerable open source libraries. It demonstrates that you are aware of new patches, fixes, and versions for your open source components, including any problematic components that haven’t yet been updated, as no software development team can fix it all.
The Mend SCA tool can integrate into any software development environment and provide detailed inventory, license compliance, and security analysis reports within minutes. These reports help you understand your status, mitigate the issues, and support you during the due diligence process.
Some companies prefer to purchase an open source audit, where one of our experts prepares a due diligence report from all the reports mentioned above. The auditor walks through the report with your team, highlights problematic areas with suggested fixes, and answers questions to help the company translate the results to an actionable plan to reduce risk.