TripleCheck Studio is a tool to peform software licensing compliance and provenance.

In other words, it is a tool that helps people to discover the licenses applicable to files and libraries on their projects. The information about files is archived using an open data format called SPDX.

What is SPDX?

SPDX means "Standard Package Data Exchange", a plain text file (in alternative, XML can be used) with information about the license terms applicable for a given software product. This format is an initiative of the Linux Foundation and other companies/people around the world. The goal is to standardize the way how people share information about software licenses. You find more info about SPDX on wikipedia or visiting the website at http://spdx.org

What can I do with this tool?

Create new SPDX files from a folder containing your source code
Add dependencies (COTS, libraries) with different licenses as part of you code
Find information using the search bar to find similar files or exact matches

Whenever you have an idea for improvement, you're more than welcome to write us a message and will get in contact. Our page with up to date contact information can be found on our site through this link. See you soon! :-)

Getting started

When you download this software, the tool should already come available with a small library of SPDX documents. We try out best to provide a useful library in the download package but you will be expected to built up your own library based on the components that you are using. Extra points if you share your libraries with us for inclusion in future versions of the library.

Take your time to browse the items listed on the tree view at the right side of the tool. Check what information is reported, what is listed and what kind of features are available.

Then, look on the "Tools" item at the bottom of the tree view. From there you should find the "Create New SPDX" item that allows to create a brand new analysis of your software.

Using the search box

The search box is under continuous improvement, should already be fit to provide most of the information that you need to extract from a software compliance analysis:

Finds files based on exact matches using MD5, SHA1, SHA256 of the file name
Finds files based on a percentage of "similarity" using the SSDEEP algorithm
(more soon to be added)

To find files based on specific algorithm, you can type something like this on the search box:

SHA1: f23822b985b89ebb6a1ea989e9d095426b7ab2d9

So, name of the algorithm and then the value that you need. The name of the algorithm can be either on lower or upper case. The value that you are looking should be used in EXACT case match. This is particularly important for the similarity matching algorithm where the signature cannot be modified.

Plugin system

This software comes equipped with an advanced plugin system. We use script files based in Java language. If you're familiar with PHP, C or Java, you will feel right at home to change around the software using nothing more than a text editor. If you wish, a normal Java IDE such as Eclipse or NetBeans can be used to provide the comfort of programming with automatic code completion. Write us an email and we'll explain how to get the IDE setup going.

Look inside the "plugins" folder to get started and hack away. :-)

License and Extension recognition

Similar to the plugin system, we made available a way for adding up new licenses and extension types. It uses the same Java-based scripts to process files and detect if the a given license or extension are applicable.

Furthermore, when the tool finds a new file extension that wasn't indexed before then it will create a new template. Look inside the folder "extensions/unknown" to see what is automatically generated. Then, you can edit these files to fill up the details as needed. This way you can teach the software to recognize new extensions and know what to do with them. This is useful to add new source code types that were not added before.

There is no need for a lengthy manual to lean how to modify these files. Just look at one of the files already created and use it as template for the new ones. :-)

We would be grateful if you can help us improve the license and file extension libraries. All you have to do is send back to us your modified files by email and we will add them up for the next release. As point of rule, we preserve your name and copyright on the provided files.

Feedback?

This tool is quite young. Development moves at great speed since we use it on for our own work at TripleCheck. However, what is necessary for our use-case scenario might not necessary meet what you need.

If you miss some specific feature or something is not working good, don't worry. Just write us a message so that we know which features matter the most to fix or implement.

You find us at http://www.triplecheck.de/

Above all, have fun! :-)