We want to thank everyone that attended the webinar on Thursday, October 6 titled Open Source Goodness - Potential Risks = Insight. Unfortunately we didn’t have time to answer all the great questions during the event, so we’ve answered them here for everyone’s benefit. If you missed the webinar, you can register to view a replay here.
Q: What types of files/artifacts will Application Insight analyze?
A: Application Insight currently examines components based on the Zip algorithm, including JAR, WAR, EAR and ZIP formats. Other formats such as bin,iso,rpm are planned in the future.
Q: What development tools does Insight work with?
A: Sonatype is committed to making Development Insight available for all of the popular development tools, including: Eclipse IDE, Hudson CI, Jenkins CI, Bamboo CI, Nexus OSS repository, Sonatype Pro for Nexus, Maven 2.x, Maven 3.x, and Ant. Note: The tools presently supported are shown in bold.
Q: Can Insight identify open source code that has been copied and/or modified?
A: At this time Insight analyzes and identifies complete binary artifacts. We are working on ways to identify artifacts that have been slightly modified during development.
Q: What makes Insight different than source code ‘scanners’?
A: Insight is complementary to source code scanners – they solve different problems. Insight is designed to integrate easily into the software development process at every stage to ensure you only use the highest quality, most secure OSS components that meet your licensing standards. Source code scanners are typically used at the end of the development process to find snippets of open source code that may have been included in your applications.
Q: Can open source components be detected which are not installed but bundled with other software?
A: Yes, Application Insight analyzes all Java binaries in the target location, whether or not they are installed and being used.
Q: How would closed source Java components fit into this model? Is there a means to manage licensing and distribution, and push updates in this scenario?
A: Sonatype Insight supports both open and closed source components. We will work with our customers to add closed source components to the Insight Information Service as required so that they are recognized during analysis.
Q: Do you have customers that need this because of software certification for ISO9000 processes or FDA instrument certification?
A: We have spoken with a number of prospective customers of Sonatype Insight who are interested in using it to help with ISO9000 or other certifications. There is a consistent belief that Insight is a valuable addition to their existing processes.
Q: Can we choose which components are analyzed?
A: Yes, you can configure Insight to analyze a particular project, repository or production application.
Q: How can I receive a complimentary assessment of our open source consumption?
A: You can sign up for a complimentary assessment at http://www.sonatype.com/Request/Information/Open-Source-Usage-Report
Q: Can Insight be used to track Central downloads in general, not just associated with security or license risk?
A: Yes, Management Insight reports all downloads from the Central Repository, showing you how, when, and where those components were consumed.
Q: How is Insight offered? Can I run an instance in my company?
A: Insight is currently offered as a Software as a Service (SAAS) in combination with plugins for your development tools. We do not presently offer a stand-alone version, but are considering adding this capability in the future.
Q: What about a plugin for AnthillPro or their new DevOps platform?
A: We have received a number of requests for this, but it is not on our short-term roadmap.
Q: Does Insight work with other languages besides Java?
A: Today, Insight is focused on open source Java components. Future releases will extend to other programming languages.
Q: Is it possible to integrate Insight into the development cycle in order to push information to developers?
A: Yes, Development Insight enhances your existing tools so you’ll have the information and controls you need, when and where you need them to ensure the use of high quality components free of licensing or security risk. You can flexibly combine Insight plugins for popular IDEs, repositories, continuous integration servers, and build systems.
Q: Does Insight integrate with any continuous integration (CI) servers?
A: The Development Insight plugin for Hudson and Jenkins is available now to ensure problematic components don’t make it into your applications. The plugin inspects projects and alerts you to component licensing or security issues so you’ll find problems as soon as they are introduced.
Q: Is it possible to use Insight to evaluate open source components for issues before the component is added to a project?
A: Yes, the Development Insight plugin for the Eclipse IDE provides quality, license and security information for all components loaded in the IDE, whether or not they are part of a project.
Q: Do you need to use Apache Maven to use Insight?
A: No, Insight will analyze components independently of the build tool or dependency management methodology.
Written by Larry Roshfeld