Sonatype Helps Organizations Manage Open Source License Obligations | Sonatype

Today, most teams rely on extremely time-consuming, manual processes to collect, compile, and review all of the necessary legal data to both comply with open source license obligations and generate accurate attribution reports. Given that each manual review of a component and its corresponding license can take up to 1 - 2 hours and a typical application contains 100 components, legal and compliance teams are spending  hundreds of hours completing compliance reviews for just one application. 

“Building and protecting software isn’t done in a vacuum by just development and security teams. Using open source software can very quickly become a legal and compliance risk for enterprises if proper procedures aren’t in place,” said Brian Fox, Sonatype CTO. “But the manual review process isn’t scalable. Automation in development has been around for years, but the industry hasn’t provided other stakeholders involved in the development process the same courtesy. Today, we’re changing that and making the lives of developers, security, and legal teams exponentially easier.”

Sonatype developed the Advanced Legal Pack to make the entire compliance and legal review process easier and to improve productivity for both developers and legal in a way that is fast, easy, cost-effective, and efficient. Capabilities include: 

• Legal Compliance Workflow - Using a Software Bill of Materials (SBOM) Sonatype automatically identifies every open source component license used in an application build and provides a dashboard to review the licenses and an actionable workflow to automate the review process and resolve license-related tasks obligations.  Users of the [ALP] can save license obligation resolutions (per component, per license) to reuse in the future.
• License Obligation Review Tool - The pack includes an extensive database of open source license obligations across multiple categories, types, and threat groups that is continuously updated by Sonatype. This database of more than 1650 open source licenses has been annotated to highlight each obligation contained within the license text allowing legal and compliance users and fast way to read through obligations and easily look up licenses, view annotated license texts, and export lists.
• Extended Legal Data - Our machine learning algorithm and natural language processing detect legal data and integrate it into our legal compliance workflows. This includes more than just license detections to cover copyright statements, all notice statements, and all license texts found in a component. All legal data collection is automated.
• Automated Attribution Reports/Third-Party Notices - The pack automatically collects legal data and generates attribution reports designed to help users that comply with 90+% of open source obligations, which users can save, customize, and edit to fit their needs. 

Additional Resources: 

• Read more about the Advanced Legal Pack on our Blog 
• Discover more about how the Advanced Legal Pack works 
• Learn more about the Nexus Lifecycle

About Sonatype: 

Sonatype is the leader in developer-friendly, full-spectrum software supply chain management providing organizations total control of their cloud-native development lifecycles, including third-party open source code, first-party source code, infrastructure as code, and containerized code. The company supports 70% of the Fortune 100 and its commercial and open source tools are trusted by 15 million developers around the world. With a vision to transform the way the world innovates, Sonatype helps organizations of all sizes build higher quality software that's more aligned with business needs, more maintainable, and more secure. 

Sonatype has been recognized by Fast Company as one of the Best Workplaces for Innovators in the world, two years in a row and has been named to the Deloitte Technology Fast 500 and Inc. 5000 list for the past five years. For more information, please visit Sonatype.com, or connect with us on Facebook, X, or LinkedIn.