Resources on compliance, FOSS, AboutCode projects, SBOMs, SCA, and more.

Read our blog for insights on topics like Free and Open Source Software and Software Composition Analysis. Watch recorded webinars to learn more about nexB software like ScanCode and DejaCode. Or explore our public DejaCode license library to see over 1,400 definitions of a wide variety of licenses with extensive metadata about each license.
FOSS Daily
FOSS Daily for licensing “hygiene” and vulnerability compliance
Pay attention to your software – especially your open source components – as a daily habit.
6 MINUTE READ
universal software package identifier
PURLs of Wisdom: Universal software package identification
Accurately identify third-party software packages with PURL.
3 MINUTE READ

Blog

Read posts on open source, compliance, and more from the nexB team.

Public Report:
SCA for Containers

A recent nexB project compared SBOMs produced from open source and proprietary SCA tools to evaluate the accuracy and completeness of the tools. The evaluation covered SBOM format, component identification, and license detection. There were significant issues for all of the SCA tools.

The Container SBOM Clarity Project Public Report explains the evaluation process in detail and provides the results in two dimensions: by container image and by SCA tool. It also provides detailed and actionable recommendations for improving the SCA tools.

Videos

Watch recorded webinars and conference talks to learn more about FOSS, SCA, and software like ScanCode, VulnerableCode and DejaCode.

ScanCode LicenseDB

Explore more than 1,400 license definition, plus extensive metadata about each license, and, as available, a link to the corresponding entry in the SDPX license list.

Docs

Documentation for each AboutCode project (including ScanCode Toolkit) is available at aboutcode.readthedocs.io.

GitHub

Check out the code, view installation requirements, and create support issues for each AboutCode project on GitHub.

Gitter

Join the nexB team and AboutCode community on Gitter to ask questions or discuss AboutCode projects.

We believe good open source tools are important when using open source software.

At nexB, we have been creating, contributing to and using free and open source software from the start. We contribute back to projects that we use, and we sponsor our own open source projects for software provenance analysis (ScanCode) and open source attribution compliance (AboutCode). We believe that good open source tools help you use open source, including compliance with license obligations.

AboutCode logo
AboutCode.org is a community of open source developers who are trying to make open source easier to use by providing open source tools to discover, identify and track open source components for Software Composition Analysis (SCA).

Software Package Data Exchange (SPDX) specification is a standard format for communicating the components, licenses and copyrights associated with a software package. We are co-founders of this working group from the Linux Foundation.

The aim of SPDX is to reduce redundant work by providing a common format for companies and communities to share information across the supply chain, thereby streamlining and improving compliance.

Google Summer of Code Logo
Google Summer of Code (GSoC) is a program that encourages student developers to work on and learn about open source development. Google sponsors select students to work on open source projects for three months. nexB is excited to work with students who are passionate about open source development and want to help AboutCode build better open source tooling for Software Composition Analysis.

The Linux Foundation is a non-profit consortium dedicated to fostering the growth of Linux. Founded in 2000, The Linux Foundation sponsors the work of Linux creator Linus Torvalds and is supported by leading Linux and open source companies and developers from around the world.

nexB has been a Silver member since 2013. We are a vendor for the Commercial Compliance Tools which is approved by the Linux Foundation.

ClearlyDefined
ClearlyDefined and its parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being, well, clearly defined. Lack of clarity around licenses and security vulnerabilities reduces engagement — that means fewer users, fewer contributors and a smaller community. This is a community-wide challenge that needs a community-wide approach.