Code quality and maintenance: Emerging risks of open source use

Oleh : Freed Bals | Selasa, 07 April 2020 - 11:00 WIB

Synopsys
Synopsys

INDUSTRY.co.id - In the invaluable Gartner research paper Technology Insight for Software Composition Analysis, the analyst cites an interesting finding during his examination of the current state of SCA (software composition analysis):

“Mature organisations are expanding open-source management to include assessments of the overall ‘health’ of the software, based on a given package’s provenance and support.”

As open source use has gained traction over the years, the focus on managing that open source has also evolved. Organisations that knew they used open source initially concentrated their efforts on open source licenseidentification — a key part of any open source management strategy.

As open source use grew in popularity, a risk beyond license risk emerged — identifying and mitigating known vulnerabilities, another critical factor of open source management.

What the Gartner paper refers to as “health” can also be thought of as the state of any given open source component’s code quality and whether that code is being maintained, an emerging risk for organisations using open source destined for embedded or web applications.

Code quality in open source
Developers creating embedded software to control machines or devices that we don’t typically think of as “computers” (such as cars or medical equipment) are usually tightly focused on code quality defects that could cause reliability or functionality issues.

Traditionally, that focus has been on the code the developers write, not with quality issues of the open source components they use in their applications. Many development teams use static application security testing (SAST) tools, such as Coverity® SAST, to uncover quality issues in their code. However, SAST isn’t effective in finding third-party open source software vulnerabilities or identifying open source license types or versions — information needed to gauge the overall “health” of any open source component.

One of the reasons behind the popularity of open source components is that viable open source projects usually have (or had) strong communities improving, updating, and patching vulnerability issues as they become known. However, even if a developer takes care to download a component from a robust open source community, there’s no guarantee the community will remain active in maintaining that component. Black Duck Audits conducted in 2018 found that 85% of the 1,200+ codebases scanned contained open source components that were more than four years out of date or had no development activity in the last two years.

Out-of-date open source components are an end user issue as often as they are an open source community issue. Development teams might be reluctant to update because they’re concerned that using a newer version of an open source component will require modifying other code, causing a ripple effect that could bring development to a standstill.

Or they worry that on updating, they’ll find the component’s development community has gone cold, meaning they’ll be responsible for fixing any flaws or vulnerabilities that arise in the future.

Both scenarios are antithetical to the reason for using open source in the first place — building better, faster, stronger code.

Getting a complete view of the open source in your codebase with a BOM
How do you know whether you’re using high-quality open source components? Or if you’re using a current version of the software? Is it the most stable? Is there a robust community actively maintaining the component?

Among its conclusions, the Gartner report recommends you “Continuously build a detailed software bill of materials (BOM) for each application providing full visibility into components.”

A complete and useful software bill of materials must include all open source components, the versions used, and the download locations for each project. It also needs to include all dependencies, or the libraries your code calls to, as well the libraries those dependencies link to.

While it’s possible to create a BOM manually, doing so requires a significant investment of time that may affect developer productivity and lead to higher development costs. “A BOM generated by an SCA tool provides more comprehensive information (specific versions, license, etc.),” the Gartner paper notes, “and potentially a more advanced understanding of dependency mapping among various components and frameworks.”

You can find the Gartner research paper Technology Insight for Software Composition Analysis here. It’s an intriguing read that I strongly recommend to anyone interested in better management of the risks of open source use.

Komentar Berita

Industri Hari Ini

Pasar Murah 1000 Sembako Hingga Bazar Umum, HK Meriahkan Safari Ramadan BUMN

Jumat, 29 Maret 2024 - 04:34 WIB

Pasar Murah 1000 Sembako Hingga Bazar Umum, HK Meriahkan Safari Ramadan BUMN

Menyemarakkan bulan suci Ramadhan 1445 H, Kementerian BUMN bersama PT Hutama Karya (Persero) (Hutama Karya) dan anak perusahaannya, PT Hakaaston (HKA) menggelar kegiatan Safari Ramadhan BUMN…

Menteri Basuki Dampingi Presiden Jokowi Resmikan Bendung dan Jaringan Irigasi Gumbasa, Pulihkan Pasokan Air untuk Sentra Pangan di Sigi

Jumat, 29 Maret 2024 - 04:19 WIB

Menteri Basuki Dampingi Presiden Jokowi Resmikan Bendung dan Jaringan Irigasi Gumbasa, Pulihkan Pasokan Air untuk Sentra Pangan di Sigi

Presiden Joko Widodo (Jokowi) didampingi Menteri Pekerjaan Umum dan Perumahan Rakyat (PUPR) Basuki Hadimuljono, Menteri Pertanian Andi Amran Sulaiman, Menteri Kesehatan Budi Gunadi Sadikin,…

Direktur Utama Bank Mandiri Taspen memberikan Sambutan jelang Pengundian Pemenang Mandiri Taspen Bertabur Hadiah 900 juta dalam rangka ulang tahun ke-9

Jumat, 29 Maret 2024 - 04:06 WIB

Ini Para Pemenang Undian Bertabur Hadiah Bank Mandiri Taspen 900 Juta

Bank Mandiri Taspen mengumumkan para pemenang program undian "Bertabur Hadiah Bank Mandiri Taspen 900 Juta" kemarin

Peluncuran Game dan Lagu Tema, “Bae” - Rap Version

Jumat, 29 Maret 2024 - 03:52 WIB

bubbME.AI Meluncurkan Game dan Lagu Tema, “Bae” - Rap Version di Indonesia Pavilion di SXSW 2024

Salah satu dari sepuluh startup di ‘Indonesia Pavilion’ SXSW 2024, bubbME.AI: Gim ponsel ‘peliharaan’ pertama di dunia yang memberikan edukasi dan mengatasi Kekerasan Berbasis Gender…

PointStar gelar acara “Iftar Insights: Understand Retail Business Continuity & Operational Challenges during Ramadan”.

Jumat, 29 Maret 2024 - 00:47 WIB

PointStar Dukung Pemerintah Capai Target Pertumbuhan Lewat Transformasi Digital

PointStar berkomitmen untuk menyediakan solusi teknologi yang inovatif dan terdepan untuk membantu perusahaan ritel menghadapi tantangan perekonomian global dan lokal.