Open Source Library Compliance for Azure DevOps Build Pipeline

Ensuring Compliance with Company Licensing Standards

Question

You have an Azure DevOps project that contains a build pipeline. The build pipeline uses approximately 50 open source libraries.

You need to ensure that all the open source libraries comply with your company's licensing standards.

Which service should you use?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C

Secure and Manage Open Source Software

Black Duck helps organizations identify and mitigate open source security, license compliance and code-quality risks across application and container portfolios.

Black Duck Hub and its plugin for Team Foundation Server (TFS) allows you to automatically find and fix open source security vulnerabilities during the build process, so you can proactively manage risk. The integration allows you to receive alerts and fail builds when any Black Duck Hub policy violations are met.

Note: WhiteSource would also be a good answer, but it is not an option here.

https://marketplace.visualstudio.com/items?itemName=black-duck-software.hub-tfs

The correct answer is C. Black Duck.

Explanation: Open source libraries are distributed with various licenses. Some of these licenses may not be compatible with your company's licensing standards. Therefore, it is necessary to analyze and ensure that the libraries used in your build pipeline comply with your company's licensing standards.

Black Duck is a service that provides license compliance and security management for open source software. It can scan and analyze open source libraries for their licenses, vulnerabilities, and quality. Black Duck integrates with Azure DevOps to provide a seamless experience in scanning and analyzing the open source libraries used in your build pipeline.

NuGet is a package manager for .NET projects that allows you to easily install, manage, and use packages. Although NuGet can be used to manage open source libraries, it does not provide license compliance and security management.

Maven is a build automation tool used primarily for Java projects. It provides a way to manage project dependencies and automate the build process. However, like NuGet, it does not provide license compliance and security management.

Helm is a package manager for Kubernetes that allows you to easily install, manage, and use Kubernetes applications. Although it can be used to manage open source libraries, it does not provide license compliance and security management.

Therefore, the best choice for ensuring compliance with your company's licensing standards is Black Duck.