You need to be able to provide a detailed list of your open source components in your code. Are you set up to create an open source bill of materials?
Maybe the request will come from your CEO, following a request from the board of directors; or maybe it will come from a large account needing to validate the originality of its software supply chain; or perhaps the request will come from your legal team trying to produce a certificate for the company’s intellectual property.
But, one day, you will be asked to provide an open source inventory report, a detailed list of your open source components bill of materials (BoM) in your code, including all dependencies and affiliated licenses.
If you’re currently tracking your open source usage manually, via spreadsheets and emails; or semi-manually, with a ticketing software, this is probably causing a lot of headaches. Even if your team is succeeding to keep accurate track of your open source components and licenses this way, tracking your components’ dependencies (direct and transitive), and each ones’ respective license, is almost impossible.
You could leave it to code scanning, and give your manual tracking a “final check” before the finish line, but this solution has proved itself to be very expensive and time-consuming. It produces multiple false-positives and a lot of overhead for developers sifting through reports post-scan. It requires that developers halt development in a critical time. It brings exposure to your proprietary code. It’s not a preventative solution, so you can introduce problematic components in post-scan corrections without being aware of it. It’s also temporary and doesn’t help with bugs or problems that are reported by the open source community post-release.
Mend constantly and automatically detects all open source components in your code and cross-references them against a continuously updated database of over 3,000,000 open source libraries, so that you are notified immediately if an issue arises in one of the open source libraries from which you have drawn. It also analyzes all your open source components against your automated policies to make sure they all comply with your company’s policies.
Generate a full, 100% accurate inventory report in one click. Mend’s BOM report details all of your open source components in real-time; including:
With Mend, you can easily generate and export a software bill of materials (SBOM) in SPDX format. An SBOM is a machine-readable inventory of your software’s components, including all direct and transitive dependencies. SBOMs are designed to track the supply chain relationships of software components. Learn More