Not everyone wants to buy a full-blown product, however, which is why Black Duck Software is making a version of its protexIP software available as an online service.
The software world might have been a better place if Black Duck had been founded in the mid-1990s instead of December 2002, just before The SCO Group launched its $3 billion lawsuit against IBM, alleging that Big Blue put Unix code under its control into the open source Linux operating system and used code for the Project Monterey Unix in its AIX variant, apparently breaking its Unix licensing agreements. (The situation is anything but clear.)
Because of that case, everyone has a heightened sense of wanting to identify the code that is being used in applications, what right they have to use it, and what licensing terms that software has, including the governance of how various open source products can be mixed with each other and with closed source programs. No one wants to be sued over violations in the use of intellectual property (the other kind of IP in the computer business, along with Internet Protocol).
Equally importantly, as more and more companies are outsourcing and offshoring application development, they need to be able to check what the third party developers are doing as they create applications for them and ensure that they do not violate licensing terms for software.
To address these needs, Black Duck, which is based in Waltham, Massachusetts, launched its protexIP software scanning tool. It was in its alpha version in September 2003, and went beta into 21 sites in December 2004. In May 2004, protextIP 1.0 was realized as a commercial product, and an updated 1.1 release came out in October 2004.
According to Doug Levin, Black Duck’s CEO, the company has more than a dozen paying customers for the product, and has grown by a factor of six in the past year. Black Duck has signed partnerships with Open Source Development Labs, Red Hat, and CollabNet, and these open source development organizations will be using protexIP to make sure the programs that are developed under their wings are compliant with all of the various licensing terms out there in open source land.
Mr Levin said protexIP has over 40GB of open source fingerprints – key code snippets – that allow programs from thousands of open source projects (with more than 450 different licenses) to be identified – even if you take out licenses, comments, attributions, and other elements. This represents the knowledge base that drives protexIP, which runs in the background of an organization’s integrated development environment.
Content from our partners
The protexIP tool uses fuzzy logic, pattern recognition, and statistical ranking to match code in applications with code in the knowledge base. Expanding that knowledge base is a tall order, with over 91,000 projects on SourceForge. However, about two-thirds of those projects are inactive, so the number is quite a bit smaller, and of those active projects, only a few thousand are interesting as far as commercial application development is concerned, said Mr Levin.
While the protexIP product is great for big organizations that do lots and lots of coding, it is overkill and expensive for short-term projects, small software developers, or companies that must do due diligence on their software portfolios as part of a merger or acquisition. And that is why Black Duck has launched protexIP OnDemand.
To make protextIP OnDemand, Black Duck has created a hosted version of protextIP that you subscribe to. With the regular protexIP offering, you pay Black Duck a licensing fee and then additional charges based on the amount of code you have under the management of the protexIP product. With the OnDemand version, which costs less, you pay Black Duck based on the amount of code you scan through the online system.
