tools to check/track (code) compliance

[Peter Roozemaal]

Trevor Woerner wrote:

> Another method might be to use a tool which analyses the code itself 
> (i.e. the code which is committed) looking for indications that the 
> code might be from somewhere else (e.g. different coding style, 
> copyright statements, license files, etc.).
> 
> Does anyone know if any such tool exists? I'm aware of the Black Duck
>  products (http://www.blackducksoftware.com) which sound like exactly
>  what I'm looking for, but was wondering if any other such tools 
> existed (for comparison purposes).

Palamida http://www.palamida.com/ sells and makes a similar product as
BlackDuck.

My experience running those tools is that they generate a lot of false
positives and require specific knowledge to use them effectively. Before
buying the tool you should discuss with your lawyer about how to handle
when you discover a serious issue. Copyright infringement is a criminal
offence and you should immediately after discovery stop distributing
infringing products.
Introduction of the tool can create morale problems on the workfloor.
Educating your developers and putting in a system of checks and balances
may be cheaper, better for morale and have effects on more aspects of
quality than just legal compliance.

Disclosure: I work for a company that advices business on the risks (and
benefits) of using Open Source. I have used Blackduck and Palamida and
wrote some proprietary scan software that our company uses.

Peter Roozemaal