How do we conduct our open source audits?

As first step, we run the source code through a program designed to identify copyright and licence references, phrases relating to licensing and the like to identify all the licenses applicable to the program we are auditing. The program we use is Fossology, a tool developed by Hewlett Packard. Having identified all the relevant licenses, our lawyers then review the licenses in order to identify any potential conflicts (e.g., MPL <-> GPL) assess the compatibility between the project's license and the licenses identified in the audit. prepare guidelines for complying with all the licenses applicable to the program. The results of the source code check and the lawyers' analysis is then compiled in an Open Source Audit Report, which we store in our database.

What do the different IPR risk ratings (e.g., green, yellow, red) mean?

A detailed audit report can be very complex as it identifies all potential risks as well as compliance requirements. The purpose of the IPR rating is to make it possible to see at a glance whether there are any issues with the component. Here's a brief explanation of what they mean:

• Green: Our audit did not reveal any significant risks. Compliance with the project's primary license is likely to suffice for compliance with all the relevant sub-licenses.
• Yellow: Our audit revealed potential risks. Either there is a potential conflict between the project's licensing, or compliance with the project's license is not sufficient for legal distribution of the program.
• Red: Our audit revealed significant risks. There is high likelihood of a license conflict that prevents the program from being distributed legally.