Definition

An open source audit is an analysis of a codebase that identifies all open source components, associated license conflicts and obligations, known security vulnerabilities, and potential risk introduced via third-party web service API integrations. This data is then used to create a complete open source Software Bill of Materials (SBOM). The analysis can be done in-house, but it is usually done by a trusted third party that is experienced in identifying open source dependencies and mapping those dependencies to areas of risk.

Why are open source audits important?

Seventy-six percent of the average application is comprised of open source code, according to data from the annual BlackDuck “Open Source Security and Risk Analysis” (OSSRA) report. This means that most of modern applications were built by someone else, completely outside the control of the company deploying the resulting application. Without visibility into those open source dependencies, it’s impossible to understand and mitigate the risk that comes along with it. For example, without an open source SBOM, organizations had no idea whether their applications were impacted by the Log4Shell critical vulnerability.


Who performs open source audits?

Open source audits are most often performed by a trusted third party. The benefit of this is that an independent team of auditors can use purpose-built tools to identify all open source dependencies, regardless of how they’ve been included. They can go beyond package manager inspection to also identify snippets of dependencies, and open source libraries coded in languages that do not use package managers, such as C and C++. Expert auditors also use their experience to eliminate false positives, and prioritize risk insights based on severity for the customer.

 


When are open source audits performed?

Audits are most commonly done as part of technical due diligence for mergers and acquisitions. When software is a significant part of a deal, the acquiring company usually requires the target company to have these audits performed in order to better understand the limits of, and risk associated with, the software that they are investing in or purchasing. A trusted third-party auditor performs an analysis and communicates results to the acquirer, while protecting the intellectual property of the target company.  

Open source audits are not done just during M&A processes, though. They can be done at any time for any other reason, such as customer requirements, internal risk assessments, seller preparation, etc.


Black Duck open source audits

Our open source and third-party software audits draw upon world-class tools and a range of software composition analysis techniques, the Black Duck® KnowledgeBase™, and open source expert auditors. We provide a complete and accurate SBOM for the target codebase, including all open source and third-party components, associated license obligations, and license conflict analysis.

Additionally, utilizing a range of sources including Black Duck proprietary Black Duck Security Advisories, open source risk analyses identify known security vulnerabilities and operational risks and provide guidance on remediation. 

Open source audit resources