Magneti Marelli, a multibillion-dollar international component and systems supplier to the automotive industry, successfully implemented Black Duck® Software Composition Analysis (SCA) to ensure that its GENIVI-based in-vehicle infotainment system fulfills the strict open source compliance expectations of its OEM customers.
It was quickly established that Black Duck . . . was indeed the best solution for the job."
Rubens Sarracino
|Magneti Marelli
A major European car manufacturer contracted Magneti Marelli to develop an invehicle infotainment (IVI) system based on the GENIVI Alliance open source platform. The agreement for the project stipulated strict compliance with GENIVI rules and free and open source software license requirements. The manufacturer would not accept product delivery without clear proof of compliance.
Work on the system, underway for more than two years, had resulted in the accumulation of 7-8 million lines of code. The vast majority of the code had been developed by Magneti Marelli and by external suppliers; the remainder, by the customer. The entire volume of code had to be reviewed for open source license compliance, a daunting task prone to human error when handled manually. While some external suppliers had provided a proper bill of materials for their components, the majority had not. It was impossible to furnish any proof of compliance, even for in-house developed code. Magneti Marelli suspected that thousands of different open source snippets were buried somewhere in the codebase, but had no easy means of identifying them or detecting their provenance and license obligations.
To address the challenge, at the recommendation of GENIVI, the methodology team at Magneti Marelli began looking for an appropriate software tool to automate code analysis and handle compliance issues.
“We looked at several such tools,” says Rubens Sarracino, the systems architect responsible for open source compliance at Magneti Marelli. “It was quickly established that Black Duck, as recommended by GENIVI, was indeed the best solution for the job, especially since Black Duck is the only offering which really checks every line of code against its vast database of open source components.”
Black Duck matches source code of any type against the industry’s most comprehensive knowledge base of open source software information, including license type and the exact version of the license under which the code was originally published. This capability enables quick discovery of license violations and unapproved components in a project’s codebase.
The Black Duck solution was installed, and BearingPoint Consulting was brought in to assist with expert advice, training, and baselining services. Under normal circumstances, the first step would have been to create, together with BearingPoint, a proper open source policy as a general guideline for the use of open source in this and other projects. However, time constraints resulted in the decision to give first priority to code compliance, leaving policy development for a follow-up effort.
Because development of the IVI system is organized by department, with each responsible for a particular project segment, it was initially thought best to train each department on the use of Black Duck and the underlying compliance philosophy. However, with developer teams under deadline pressure, a central control function was later deemed to be more effective in ensuring the required accuracy and adherence to compliance. In addition, a representative from the legal department was assigned to the project with authorization to involve external counsel, when needed, for expertise in licensing and intellectual property.
Magneti Marelli designs and produces advanced systems and components for the automotive industry. With 85 production units, 15 R&D centers in 20 countries, approximately 44,000 employees and a turnover of 8.2.billion Euro in 2017, the group supplies all the major carmakers in Europe, North and South America and the Asia Pacific region.
Download the supply chain security solution guide
See why Black Duck is a software composition analysis Leader