GGI Activity: Manage software dependencies

Table of contents

Manage software dependencies

Activity ID: GGI-A-23 (EN).

Description

The great benefits of open source (code sharing, re-use) come with an equally great responsibility on your codebase. A solid dependency management of your codebase is key for a successful, reliable and secure software project.

As a result, the organisation must establish and maintain a list of known dependencies (Software Bill Of Material, or SBOM) for its codebase and monitor the evolution of the identified providers – oss projects or companies.

A dependency identification program looks for the dependencies actually used within the codebase. As a result, the organisation must establish and maintain a list of known dependencies for its code base and watch the evolution of the identified providers.

Establishing and maintaining a list of known dependencies is an enabler for, and a prerequisite to:

• IP and licence checking: some licences cannot be mixed, even as a dependency. One has to know its dependencies to assess its associated legal risks.
• Vulnerabilities management: the entire piece of software is as weak as its weakest part: see the example of the Heartbleed flaw (MULTI). One has to know its dependencies to assess its associated security risks.
• Lifecycle and sustainability: an active community on the dependency project is a bright sign for bug corrections, optimisations, and new features.
• Thoughtful selection of used dependencies, according to “maturity” criteria - the goal being to use open source components that are safe, with a sane and well-maintained codebase, and a living, active and reactive community that will accept external contributions, etc.

Some people may fear that leaving the big closed-source corporations might lead to a lack of support. To circumvent this, a good practice is to keep a database of dependencies, with details including the version, license, end of support information, and to set up support (or obsolescence) surveys to ask organisations developping OSS software about the future roadmap of the product. Most OSS companies propose multi-year support contracts and will happily provide it. Likewise, many OSS communities may answer such a survey.

Opportunity Assessment

Identifying and tracking dependencies is a required step to mitigate the risks associated with any code reuse. In addition, implementing tools and processes to manage software dependencies is a prerequisite to properly manage quality, compliance, and security.

Consider the following questions:

• What is the company’s risk (cost, reputation, regulation infringement, etc.) if the software is corrupted, attacked or sued?
• Is the code base considered critical for people, the organisation, or business?
• What if a component upon which an application depends changes its repository?

The different steps to consider:

• Implement a software composition analysis (SCA) process and use dedicated tools for automation. There are several resources (white papers, tools, experience reports) available to help if needed.
• Build and maintain a solid SBOM discipline, use proper tools and processes. Indirect dependencies (the dependencies of your dependencies) are important too. Some tools use a recursive strategy to identify the full chain of dependencies (e.g. ORT, Eclipse Dash). Identify outdated libraries, and watch for projects with low activity or no security reporting mechanism.

Progress Assessment

The following verification points demonstrate progress in this activity:

• Dependencies are identified in all in-house developed code.
• Dependencies are identified in all external code executed within the company.
• An easy-to-setup software composition analysis or dependency identification procedure is available for projects to add to their Continuous Integration process.
• Dependency analysis tools are used.

Tools

• OWASP Dependency-Check (EN): Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
• OWASP Dependency-Track (EN): Dependency-Track is a Software Composition Analysis (SCA) platform, based on the CycloneDX standard.
• OSS Review Toolkit (EN): a suite of tools to assist with reviewing Open Source Software dependencies.
• Fossa (EN): fast, portable and reliable dependency analysis. Supports licence & vulnerability scanning. Language-agnostic; integrates with 20+ build systems.
• Software 360 (EN).
• Eclipse Dash license tool (EN): takes a list of dependencies and requests ClearlyDefined (EN) to check their licences.
• The FOSSology Project (EN): FOSSology is an open source project with the mission of advancing open source license compliance.

Recommendations

• Conduct regular audits about the dependencies and IP requirements to mitigate legal risks.
• Ideally, integrate dependencies management in the Continuous integration process so that issues (new dependency, licence incompatibility) are identified and fixed as soon as possible.
• Keep track of dependency-related vulnerabilities, keep users and developers informed.
• Inform people about the risks associated with wrong licencing.
• Propose an easy solution for projects to set up licence checking on their codebase.
• Communicate on its importance and help projects to add it to their CI systems.
• Set up a visible KPI for dependency-related risks.

Resources

• Existing OSS-licenced OSS licence compliance tools (EN) group page.
• Free and Open Source Software licence Compliance: Tools for Software Composition Analysis (EN), by Philippe Ombredanne, nexB Inc.
• Software Sustainability Maturity Model (EN).
• CHAOSS (EN): Community Health Analytics Open Source Software.

Proposed next activities

• GGI-A-20 - Open source enterprise software (EN) If it is not done yet, one might consider open source sourcing of some products.
• GGI-A-21 - Manage legal compliance (EN) Before being able to track IP and licences incompatibilities, one needs to identify all dependencies in their open source software.
• GGI-A-22 - Manage software vulnerabilities (EN) Before being able to track vulnerabilities in their code assets, one needs to identify all dependencies in their open source software.