Tools for Detecting Open source code snippets

[wisecodecraft]

Hi TODO group members,

Does anyone have tools they recommend that can detect open source code that has been copied/comingled with other software? Mostly interested in this from a licensing perspective - a tool that would detect if an engineer copied 10-20 lines of GPL software into a proprietary software project.

Thanks!

[winterrocks]

For M&A Open Source DD I always had a commercial 3rd party auditor to do the scan & audit and normally it was always a full forensic level scan & audit, which found the code snippets too, some reports had one line (a long line) snippets identified.

[wisecodecraft]

Thank you!

[jm-ds]

Check out Threatrix. They're able to perform accurate snippet matching in seconds.

[wisecodecraft]

Thank you! Will take a look

[mlelchuk]

Hi. Code Insight by Flexrea/Revenera (previously Palamida) is one of the best solutions out there for snippet analysis - i.e., the copy/paste code. I manage the Services team for Revenera and we help customers discover and track the usage of open source software in their code, especially if it's a copy/paste code. https://www.revenera.com/software-composition-analysis I've been doing this for over 15 years now. Feel free to email me at [email protected] if you need help with this or have any questions. You can also call me at 925-557-5688.

[wisecodecraft]

Thank you! Will take a look

[sschuberth]

We've recently integrated SCANOSS / OSSKB into ORT and I can highly recommend this Open Source solution! @juliancoccia can tell you more 😉

[wisecodecraft]

Thank you!

[juliancoccia]

Hello @wisecodecraft . You can simply do this:

$ pip3 install scanoss
$ scanoss-py scan yourcode/

This hits the OSSKB.org which is a free and public API for software identification with snippet level detection.

You can also use ORT which has been integrated with SCANOSS as @sschuberth points out.

If you want a UI to make the side by side code comparison, try the Audit Workbench https://scanoss.com/solutions

Questions? Please let me know.

[jm-ds]

@wisecodecraft, be aware, that in our extensive experience, ScanOSS misses quite a few snippets. If you need enterprise class accuracy, you might want to look to Threatrix or Flexrea.

[juliancoccia]

Thanks @jm-ds but 141 million URLs make our KB a lot bigger than most of our competitors. I encourage you to ask @alpianon how SCANOSS was the only tool that could gather the evidence they required to win the first GPL court case in Italy last month

https://www.dynamic.ooo/press/groundbreaking-acknowledgment-of-free-software-in-italy/

[jm-ds]

@juliancoccia Every tool has its advantages and disadvantages. Snippet matching is extremely difficult to get right. I encourage everyone to evaluate several solutions and choose the one that best meets their needs.

Cheers,

[sschuberth]

And I encourage all tool vendors to integrate with ORT for easy comparison of results 😉

[jm-ds]

@sschuberth ORT looks badass! Thank you for sharing. I'll have our team take a closer look.

[kappapiana]

I am one of the lawyers acting in the first Italian case on GPL enforcement.

I must say that in that case we have used ScanOSS as a forensic tool to find occurrences of copied software in a quite large codebase and it was the only way this could work out since the two bases were too large to do otherwise. Now, with a bit more knowledge and some assistance we have received from ScanOSS, I am trustful that our results will be even more accurate, as we still suspect that even after the order of the judge large chunks remained utilized in the new version.

Using an open source tool was an added bonus.

[stephenkilbaneadi]

I'm a little late to the party, but I've been rolling out Black Duck from Synopsys, and snippet matching is one of the options. I won't make any comparisons against the other tools mentioned in this thread - just tossing it out there as another option for you to investigate.

[annania]

Also late here, FOSSID is another commercial offering with snippet scanning.