More Than a Scanner: Our Holistic Approach to License Security
In today's software development, proper license management is crucial to reducing legal risks. However, traditional FOSS scanners often reach their limits: they are complicated to set up and frequently produce numerous false positives. As a result, they provide no legal assurance. This is where we come in.
Our holistic approach ensures that you can focus on what really matters—without compromising on license security. We not only provide technical support but also combine precise scanner analyses with legal expertise and proven best practices.
Setup and Validation of the Scanner
We handle the complete setup of the scan and ensure that all open-source components in your software are identified—without adding any extra workload for your team. With precise configuration, we guarantee comprehensive coverage, all without requiring direct access to your code.
Legal Review by IP Attorneys
Our experienced IP attorneys can review license agreements, such as dual licensing, upon request, ensuring that all commercial licenses are properly finalized. This minimizes legal risks and provides long-term security for your company.
Continuously Updated Report and SBOM
We create a detailed report and a Software Bill of Materials (SBOM) in the format you need. Our setup ensures that these documents are continuously updated so that you are always up to date.
Experience in Due Diligence Processes
With extensive experience from numerous due diligence projects, we help shape your licensing situation sustainably. Our team takes responsibility and provides you with comprehensive support throughout the process.
What Our Customers Say
Rupert Sierp
Datenverarbeitung
GmbH & Co. KG
"Thanks to the support from BitFlow, we were able to optimally prepare for the due diligence process. A key component was the analysis of our open-source dependencies and license risks to identify potential legal hurdles early on. The review conducted by BitFlow's IP attorneys confirmed that our software is legally compliant, which was a decisive factor for the buyer side. What we especially valued was that BitFlow carried out this process without direct access to our source code."
Michael Czermak
"BitFlow offers far more than just a tool—they provide a complete solution for our licensing and security requirements. The combination of technical precision and legal expertise was exactly what we were looking for. We particularly appreciated the overview of dependencies and the risk assessment they conducted. As a result, we were able to replace two dependencies with ones that are significantly more actively maintained on GitHub!"
Thomas Kühn
"BitFlow continuously generates and updates our SBOM, ensuring that we always have a complete and up-to-date overview of our software components. This foundation was crucial for us to meet a central regulatory requirement of the Cyber Resilience Act. Additionally, their tool LicenceFlow ensures that we are immediately informed if a security vulnerability arises in a dependency we use."
The Challenges of Open Source License Compliance
Traditional scanners quickly reach their limits when it comes to open source license compliance. Problematic licenses, such as (A)GPL, present significant challenges for companies, as it is often unclear how such dependencies can be replaced or removed. Additionally, these tools often deliver imprecise results, lack legal support, and require complex setups. These weaknesses lead to inefficient processes and increase the risk of legal and financial consequences.
Problematic Dependencies
The removal of problematic dependencies with critical licenses, such as (A)GPL, is not covered by traditional scanners. It is often unclear how such dependencies can be replaced or removed, which causes significant legal and financial risks. We not only help you identify such components but also actively support you in removing them when necessary.
Lack of Responsibility and Legal Support
Many tools only provide technical analyses without offering legal advice or support in assessing license risks. Companies are often left alone with the results, which can lead to costly consequences in critical situations. We combine technical expertise with legal support to provide you with clear and actionable recommendations.
Too Many False Positives
Standard scanners frequently produce a large number of false positives, wasting valuable time and resources. These inaccurate results make it difficult to make informed decisions and can lead to inefficient processes. With our approach, you receive precise results without unnecessary distractions caused by irrelevant warnings.
Complex Scanner Setup
Setting up traditional scanners is often error-prone, time-consuming, and requires technical expertise that may not always be available within your company. Incomplete scans can result in important open source components being overlooked, creating legal risks. We ensure a smooth and complete detection of all relevant components without adding extra workload for your team.
Our License Review Process
To ensure that your software does not contain any critical open-source licenses, a precise process is required that combines automated tools with manual reviews by experienced experts. This approach guarantees the highest quality and legal compliance!
Local Dependency Scan: Our scanner runs exclusively locally, so your code stays with you. We only transmit the names of the used dependencies, which are analyzed together with your developers. If needed, specific dependencies can be transmitted on-demand and further analyzed – fully flexible, even via video call, without the need to transfer source code.
Advanced Code Analysis: Our advanced FOSS code scanners identify all open-source components in your codebase, even those that are manually copied and not managed through package managers. This helps uncover hidden risks.
Minimization of False Positives: The scanning process may require manual checks due to false positives. However, these are intercepted by our experienced team of licensing experts, so you can be confident that only relevant and precise results are considered.
Manual Review: Automated tools are powerful, but not infallible. To ensure thoroughness, our experts manually review the identified dependencies. This step is crucial for scenarios where files are checked in directly and are not always managed through a dependency management system.
License Identification and Compliance Check: We check the license of each open-source component to ensure proper use and regulatory compliance. This includes verifying that all license terms are adhered to, including attribution and specific usage restrictions.
Regulatory Compliance: We ensure that all open-source components meet the relevant compliance requirements, such as the Cyber Resilience Act (CRA). We deliver our results in the standardized SBOM format (e.g., SPDX or CycloneDX) and ensure compliance with OpenChain ISO/IEC 5230.
Risk Assessment: We assess the legal and operational risks associated with each open-source component. This helps understand potential issues that might arise from using a specific open-source library.
Comprehensive Report: Finally, we create a detailed report outlining our findings, including any issues with regulatory compliance and recommended actions for resolution.
Integration into CI/CD Processes, including Update Service: Semi-automatic review of new dependencies in connection with package manager files (e.g., package.json, requirements.txt) to ensure that all added open-source components are continuously checked for compliance and security risks.
Security Alerts: Notifications for security vulnerabilities (similar to GitHub Dependabot). And providing developers with quick fixes within 24 hours.
Case Study: OSS License Review at Thalia
Efficient license review and sustainable software development – with our solution, Thalia was able to optimize its software development processes, minimize license risks, and improve the long-term maintainability of its software.
Customized Integration: Our flexible solution seamlessly integrates into existing workflows and supports various technology stacks.
Added Value: In addition to license reviews, we provide best practices for managing dependencies and assist in optimizing development processes.
Introduction of structured dependency management with modern tools such as Poetry or uv
Automated and manual normalization of license information
Identification and resolution of critical licensing risks
Download the Thalia Case Study for Free
Read the full case study and discover how Thalia optimized its software development through improved license management.
Download the Case Study Now
Our Completed Projects
Explore our portfolio of projects, which will give you an insight into our work and our expertise.
FAQs
Here you will find an overview of the most frequently asked questions about our Open Source License Check. If your question is not answered here, please contact us. We are happy to discuss your requirements and questions in a 30-minute conversation.
A license audit is a thorough review of all of a company's software licenses to ensure that they are acquired, used, and managed correctly. Whether you are a start-up, a medium-sized company, or a giant player, this is important to ensure legal security, avoid unnecessary costs and minimize the risk of legal problems.
A license audit offers a number of benefits, including legal security and compliance, optimized resource utilization, improved IT security and risk mitigation, and increased attractiveness to investors.
It is recommended to conduct regular license audits, at least once a year or when major company changes, such as mergers, acquisitions, or IT infrastructure changes.
If irregularities are detected during the license check, we offer our support to remove the critical licenses. Those dependencies should be rectified immediately to avoid legal consequences. This may include re-licensing of software, negotiations with vendors, or other measures.
To ensure that your software licenses are legally protected in the future, it is important to set up an effective license management system and carry out regular license audits. In addition, it is advisable to check the license status in the event of changes in the company or software usage and to make adjustments if necessary.
Get Your Free Code Analysis Now!
Our free code analysis helps you identify potential risks in your software at an early stage. We review your open-source components and identify possible legal issues. You will receive an initial assessment along with personalized recommendations – fast, non-binding, and free of charge.