New pack helps developers manage open source licenses and compliance
Although many organizations rely on the software, managing open source licenses and compliance can be a difficult and time-consuming task.
Supply chain management tools specialist Sonatype is launching an Advanced Legal Pack using machine learning and artificial intelligence to automate open source license compliance.
Most teams rely on manual processes to collect, compile, and review all of the necessary legal data to both comply with open source license obligations and generate accurate attribution reports. Given that each manual review of a component and its corresponding license can take up to two hours and a typical application contains 100 components, legal and compliance teams can be spending hundreds of hours completing reviews for just one application.
"Building and protecting software isn't done in a vacuum by just development and security teams. Using open source software can very quickly become a legal and compliance risk for enterprises if proper procedures aren't in place," says Brian Fox, Sonatype's CTO. "But the manual review process isn't scalable. Automation in development has been around for years, but the industry hasn't provided other stakeholders involved in the development process the same courtesy. Today, we're changing that and making the lives of developers, security, and legal teams exponentially easier."
The pack uses a Software Bill of Materials (SBOM) that automatically identifies every open source component license used in an application build and provides a dashboard to review the licenses and an actionable workflow to automate the review process.
It includes an extensive database of open source license obligations (over 1,650) across multiple categories, types, and threat groups that is continuously updated by Sonatype. Its ML algorithm and natural language processing can detect legal data and integrate it into legal compliance workflows.
You can find out more on the Sonatype blog.