Personal tools
You are here: Home Open Source Compliance Discovery
nrcfoss logo aukbc cdac iit mumbai iit madras ow2 iosn flosscc
Digital India


Discovery concerns itself with identifying the third party licensed software, including open source software, in a product readied for release. Key practices and capabilities in this area include the


1. OSS discovery occurs at an early point in the product development cycle.
2. The product team systematically identifies all the software and additional
   materials that must be subjected to compliance analysis.
3. Third party suppliers disclose all OSS in their deliverables.
   a) A defined format for the disclosure is used.
   b) The OSS compliance team reviews the disclosure for accuracy and
   completeness using whatever tools are available to it.
4. The organization investigates the third party supplier’s use of OSS and its
   OSS compliance practices as part of its supplier selection process.
   a) The organization investigates the third party supplier’s compliance and supply
   chain management practices to evaluate their adequacy.
   b) The organization uses defined guidelines to determine if automated scanning
   or other confirmation of the supplier’s disclosure is needed.
   c) Software license agreements include appropriate terms and conditions
   concerning OSS.
   d) Supply Chain staff and others who interface with suppliers have been trained
   in OSS matters and include OSS concerns in their discussions with third party
5. The organization periodically conducts audits of OSS use.
   a) At an agreed-upon frequency, the organization conducts an audit/inventory
   of OSS used internally and records its findings.
   b) The organization audits and inventories the OSS included in its products for
   c) The organization identifies the conditions or events that trigger a fresh audit of
   the product’s source code or of the incremental changes to a code base whose
   OSS compliance had previously been verified.
6. A bill of materials is prepared to reflect the open source content of a
   specific product release.
   a) Code scans are used to prepare the bill of materials wherever source code is
   b) Supplier disclosures are used in cases where source code is not available.
7. The organization devises a systematic approach to identifying changes in
   the code baseline and performing incremental compliance on changes
   in an efficient manner.
8. The organization systematically achieves closure on issues arising from
   discovery activity.
   a) The organization systematically tracks open issues.
   b) The organization assigns adequate resources to achieve closure in a
   reasonable timeframe.
9. The organization periodically reviews commercial and open source tools
   to assess the costs and benefits of their use in discovering OSS in code

Document Actions