Open-source software (OSS) remains a foundational aspect of cloud-native development. OSS components make up most of today’s applications, saving developers from the need to create software from scratch while providing the necessary building blocks to enhance innovation, reduce costs, and accelerate time to market.
Yet OSS components come with licensing requirements that if not properly supported can lead to the loss of intellectual property, legal violations, financial penalties, and reputational damage. Meanwhile, security teams often struggle to gain the necessary visibility into and control over licenses to ensure effective compliance.
That’s why Orca is pleased to announce OSS License Detection, a feature that automatically identifies all licenses in packages across the application lifecycle—from code to cloud. Orca’s license scanning covers the entire application pipeline, enabling teams to gain complete visibility into their compliance risks and licensing obligations. The feature further enhances Orca’s Application Security solution, complements its latest enhancements, and promotes the benefits of leveraging open-source innovations.
Why is Orca delivering OSS License Detection?
Ensuring compliance with OSS licenses can present enormous challenges for security and development teams—why OWASP currently ranks it among the top 10 risks of OSS. Software projects often contain numerous dependencies, including nested ones, making it difficult to identify all licenses and their terms. Additionally, many different variations of licenses exist, each presenting nuances that can change over time and may conflict with others in use.
Orca’s OSS License Detection feature helps eliminate the complexity of OSS licenses, giving teams full visibility into each license, its classification, and all relevant metadata. This enables them to identify potential violations, avoid substantial legal risks, and support compliance efforts.
What are the features of OSS License Detection?
Orca’s OSS License Detection feature offers several powerful capabilities, which include the following.
#1: Automatic license scanning and detection
Challenge: Teams need to identify all OSS components incorporated into their product. For many teams, that remains challenging given the rapid and dynamic nature of cloud-native development, the abundance of various licenses and terms, and the absence of advanced tools.
Solution: The Orca Platform automatically scans, detects, and tracks the licenses of your dependencies across your cloud estate and application pipeline. This includes virtual machines, containers, code repositories, and more, with license detection beginning early in the software development lifecycle (SDLC) and continuing through runtime.
#2: Full visibility into licenses with fast and flexible search capabilities
Challenge: Teams often struggle to gain and maintain visibility into their licensing obligations across their cloud estate, especially with new assets rapidly and continually spinning up and turning down. The dynamic and hyper-elastic nature of the cloud means security teams need the ability to inventory licenses fast, flexibly, and reliably.
Solution: Orca’s OSS License Detection feature gives security teams complete visibility into the licenses associated with third-party packages so they can easily understand their compliance risks and obligations. The Orca Platform offers users the ability to query licensing information fast, easily, and flexibly, with multiple search options to support a wide range of use cases.
With Orca, users can view all licenses associated with a cloud asset from its detail page. They can also easily discover licenses for installed packages by cloud asset type, such as a virtual machine, container, source code repository, and more. This enables teams to investigate software usage and ensure compliance.
Additionally, teams can quickly review all the packages associated with a specific license by running a query via Orca Discovery, ensuring users can easily inventory packages with a restrictive, or copyleft license, such as the General Public License (GPL).
#3: Enriched license metadata and standardization
Challenge: With numerous licenses in existence, teams often encounter invalid, poorly formatted, and obscure licenses, which can present challenges for effective analysis. Additionally, teams can run into issues of compatibility, including conflicting terms for multiple licenses used within the same project. Each of these factors can inhibit effective compliance.
Solution: Orca’s OSS License Detection feature normalizes licenses and their associated metadata to facilitate effective compliance. The feature automatically validates and maps poorly classified licenses to their correct Software Packages Data Exchange (SPDX) identifiers to help teams better understand them and their exceptions.
Orca also enriches metadata for licenses listed in SPDX, providing necessary information such as whether it received OSI approval, its deprecation status, its full name, and a link to its full details on the OSI website. This enriched metadata displays on a dedicated page for each license, which users can easily access using any of the search methods described in the previous section.
About the Orca Cloud Security Platform
The Orca Cloud Security Platform offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. The Orca Cloud Security Platform leverages Orca’s patented SideScanning™ Technology to provide complete coverage and comprehensive risk detection.
Learn More
Interested in discovering the benefits of the Orca Platform and its Application Security solution? Schedule a personalized 1:1 demo, and we’ll demonstrate how Orca can help you secure your applications across their entire lifecycle.
