Enterprise Edition

Enterprise Edition is a software product ideally suited for organizations desiring to establish an end-to-end solution to approve, scan and track Open Source and other third party code in their development projects and to stay current on license, vulnerability and other information about the software they use. With a library of over two million open source components, and over 1.4 million automated detection rules, source and binary code scanning with Enterprise Edition is comprehensive and increasingly automated. The integration of request and authorization workflow with scanning allows organizations to implement a full cycle solution starting with the request to use, followed by scanning and reconciliation of actual and requested contents. Enterprise Edition is a secure, scalable solution designed for on-site deployment and use.


Scan and Analyze

Palamida is the leader in advanced techniques to identify Open Source and other third party software in use within your development projects.

The Palamida scan engine

The Palamida scan engine is optimized for analysis of source and binary files using a number of detection techniques. Detection of Open Source materials is based on comparison of the target codebase with the contents of the Palamida Compliance Library, a large database containing over two million Open Source projects in over 20 languages. Palamida continuously updates its Compliance Library with new Open Source releases using both automated and manual techniques. The combination of detection techniques and the comprehensive coverage of Open Source in the Compliance Library ensures that analysis with the Palamida system results in accurate and timely results, down to the version level.

Palamida contains a portfolio of analysis tools from fully automated to special purpose to enable detailed analysis of both source and binary code.

Source Code

Unlike a web search engine which has a single search parameter per search, the Palamida search scan engine breaks a source code file into many individual searches (“snippets”) so that the system can identify partial matches to open source. Matches from the most likely origin file are highlighted in yellow, and matches from other files are highlighted in a different color to ensure that the analyst has a complete picture for the case in which code from multiple files is combined in a single file.

Licenses

Files are scanned for license text and detected licenses are displayed in a group and the file tree can be filtered to show files containing the matching license. When a specific file is selected the matching text is highlighted.

URLs and email addresses

Files are scanned for text which matches patterns typically used for URL and emails. After scanning, URLs or emails can be selected and the corresponding scan results are displayed in list form. Individual URLs or emails can be selected and the file containing them can be viewed. URLs are highlighted when viewing the file contents.

Palamida AutoExpert™ Rules

A continuously updated and increasing set of detection rules make analysis of scan results increasingly automated. Palamida creates rules based on human analysis of the most commonly used Open Source projects and via automated analysis of repositories. Over 1.2M rules are available today. Users can also create their own rules to automate reporting of items which are unique to their projects.

Binary

A file hash is compared against known OSS file hash values from the Palamida compliance library and matches are reported in the file tree as exact matches. Once a file is selected for further analysis, components and versions of Open Source projects that match the selected file are displayed. In addition, string, copyright, license text, and email/URL detectors are available for text that survives compilation. Increasingly, scan results with exact matches are analyzed automatically.

Copyrights

Files are scanned for text that matches patterns typically used to express copyrights. After the scan, copyrights are displayed in list form. Individual copyrights can then be selected and the file containing them can be viewed. The detected copyrights are highlighted.

Text Strings

Specific text is often a good indicator of third party code. For example “taken from” is an obvious signal for further investigation. Once detected, the strings are displayed in list form so that the analyst can view the files. String results are highlighted when viewing the file contents.

Java Namespace

Specialized features make analysis of Java code efficient and productive. By clicking on the namespace tab, the file tree displays compiled namespaces which is useful for finding license issues within JARs by making it easier to view the origin of JAR files. After analysis, results are published for review, and a variety of reports are available.


Request and Authorize

Palamida's system for request and approval is the result of close collaboration with some of the largest software companies in the world.

Start Early in the Development Cycle

The goal is to enable developers to request to use Open Source components during development, and receive authorization, either automatically, or after review by the appropriate stakeholders. In the process, organizations have the opportunity to enforce their policy for use as well as record and maintain information about the component such as where used, license, modifications, and other relevant data. The request form is flexible and can be tailored to the requirements of the organization.

Latest Product Features

  • Model a broader set of workflow processes by using new field types, conditional defaults, and conditional possible values.
  • Alter workflow routing as you go using people-picker fields to select reviewers, reassigning request to new owner, and using the new custom user data source connector.
  • Deliver legal guidance to requesters by using legal templates.
  • Maintain attorney-client privilege by using private fields and comments.
  • Consolidate the use of OSS components across development team by prioritized component search results with important components on top.
  • Provide visibility to the entire request review process via request history.

Policy Framework

Palamida provides a policy framework that is consistent during upfront request workflow and evaluation of scan results. Policies are based on Component, Version, License, but can also include policies based on fields on the request form. For example by including field of use as part of a policy rule, certain licenses could be approved for internal use but not for products that are distributed externally. Polices can be created in advance of scanning or request workflow, and can be updated during review of scan results. Policy status is reported throughout the product.

The "QuickReview" feature allows stakeholders from development, legal and security to efficiently review the status of a completed scan project. During quick review, policy status is clearly visible and the review team has the options to approve/reject, comment, assign action items, or request a full request workflow.


Manage IP Compliance

Accurate scan results plus tools for policy creation, legal guidance and more make compliance accurate and consistent.

The New Software Supply Chain

A modern software development project relies increasingly on Open Source software. The current average percent of content from Open Source seen by Palamida’s professional services team on a typical project is over 50 percent based on lines of code, and comprises over 100 different Open Source components. More and more organizations are recognizing the supply chain analogy – and the implications for Intellectual Property compliance.

IP compliance has five components:

Policy Creation

Policies are based on component, version and license plus additional criteria based on request form fields if needed. For example by including field of use as part of a policy rule, certain licenses could be approved for internal use but not for products that are distributed externally. Polices can be created in advance, and can be updated during review of scan results. Policy status is visible throughout the system.

Legal Guidance to Developers

A Legal Guidance function establishes a single point for creating and distributing specific information on a license-by-license basis at the time when a developer requests to use an Open Source Component. For example, the guidance could contain instructions such as "do not remove copyright statements", or "include the copyright notice in license.txt".

Creating the Bill of Materials

Create a BOM via request workflow and scanning and analysis as described above.

Remediation of IP issues

The "QuickReview" feature allows stakeholders from development, legal and security to efficiently review the status of a completed scan project. During quick review, policy status is clearly visible and the review team has the options to approve/reject, comment, assign action items, or request a full request workflow.

Production of compliance reports

A number of reports are available. Of these the most important is an accurate third party notices report. Enterprise Edition includes an automated report that is suitable for export as a shippable element of a delivered software product.


Monitor Vulnerability Status

Continuous updates of new Open Source vulnerabilities enables rapid response to reported security issues in the components you use.

A Growing Concern

Vulnerabilities in Open Source projects have recently received much more visibility. The Heartbleed and ShellShock vulnerabilities reported in 2014 caused many organizations to re-examine their policy for use of Open Source. Palamida has included vulnerability reporting in its products since 2009 based on continuous monitoring of the National Vulnerability Database.

Vulnerabilities are reported at the version level and are reported for any component in use regardless of its origin (repository) or language.

Palamida includes a dedicated user role for security. This user, the security analyst, has visibility of new security issues upon login, email notifications, and the ability to approve use of Open Source components after review of security status.

Comprehensive Info, Timely Notification

Vulnerability information is visible throughout the product, including during review of scan results, during component search, as part of request to use, and in multiple reports.

Palamida also tracks projects throughout their lifecycle and provides vulnerability alerts in the form of email updates for new vulnerabilities that are reported for Open Source components in use within shipping or deployed projects for which the scan and analysis work is completed.


Contact Us to Schedule A Demo

Let us put our years of experience to work for you. Our sales and support team has worked with companies from start-ups to some of the world’s largest firms and has a broad portfolio of best practices. Please contact us to start the discussion.

Schedule Demo
News & Events

Knowledge Center