Black Duck's exportIP

Black Duck does opensource software provenance analysis. They have a huge database, embracing the contents of multiple opensource, public and private repositories, including full licensing information. And their software (which, in its application form, is called protexIP) and service (which in its online form is called protexIP OnDemand) analyzes your source code, determines where every line of it came from, identifies and summarizes licensing issues affecting every scrap, and identifies areas of potential exposure. It can be used to scan masses of source (as when doing due diligence, prior to an acquisition), or be deployed downstream from checkin, identifying "cut and paste" issues as they appear, without permitting unchecked code to become part of a current build or (Heaven forfend) release. Last week, Black Duck introduced exportIP -- a further spin on the same great idea -- which analyzes source for compliance with export restrictions on strong encryption.

exportIP scans your code and comes back instantly with a list of areas affected by crypto compliance regs (and which regulations are applicable). It then streamlines the process of filling out government notification documents, and provides the necessary audit trail to substantiate claims of due diligence. The system understands a wide range of programming and scripting languages. The underlying database incorporates hundreds of opensource and private crypto libraries; and can also identify crypto-aware components exploiting resources external to applications. It can also, says Black Duck, heuristically analyze code to find "hidden" cryptographic functionality. You basically dial in your export intentions, and it gives back all the reports relevant to that set of conditions.

Posted by John Jainschigg at 08:14 AM  Permalink