Skip to main content

Open Source Artifacts

This section describes common artifacts either consumed or produced when managing open source software within the enterprise. Artifacts may be machine- or process- generated (such as an SBOM) or the result of human effort (such as an Open Source Strategy).

The Artifacts

Open Source Policy

An open source policy is a set of guidelines that outlines how an organization will consume, contribute to, and create open source software. It defines the rules that govern the use, distribution, and licensing of open source software within the organization. It establishes processes for evaluating open source software, managing the risks associated with its use, and ensuring compliance with legal and ethical requirements.

Common Vulnerabilities and Exposures (CVEs)

CVEs (Common Vulnerabilities and Exposures) are standardized identifiers for publicly known cybersecurity vulnerabilities which can be leveraged in exploits. The MITRE Corporation manages the CVE program, which receives funding from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

Data Loss Prevention Software

This article looks at Data Loss Prevention (DLP) software commonly used in financial organisations and how these impact open source consumption and contribution. It is not a complete reference for the subject of DLP generally, but should act as a starting point for understanding the issues involved.

Intellectual Property

This article discusses the main types of intellectual property and their application to open source within financial services.

Repositories

Article covering source and artifact repositories.

Software Bill of Materials (SBOM)

An SBOM, or Software Bill of Materials, is a list of all the components, libraries, and dependencies used in a software project, along with their associated version numbers and license information. There are two different SBOM formats:

Artifact Repository

For a financial services firm, the importance of hosting an artifact repository manager such as JFrog Artifactory or Sonatype's Nexus inside the firm's firewall cannot be overstated.

Open Source Review Board (OSRB)

The Open Source Review Board (OSRB), sometimes known as an "Advisory Council" is a governance body that reviews and approves open-source usage and contributions to ensure compliance with policies, licenses, and security standards.

Reference FOSS Policy

This document orginates from the Citi citi-ospo repository on GitHub. It is published under the Apache License 2.0 and is copyright to Citi.

Reference FOSS Policy

This is content originally from the FINOS Reference FOSS Policy Project which has not been updated recently. Feel free to suggest edits.

Software Licenses

This article provides some basic framing around the purpose of licenses within open source.

CLAs And DCOs

This article explains the concept of the Contributor License Agreement (CLA) and Developer Certificate of Origin (DCO) and the practical implications of these for organisations consuming and contributing to open source.