After two years since the first code snippets were written, the new version of the xray is today available for auditors and enterprise users.

The first edition focused on delivering a full offline tool that could be used from the command line so it would integrate with the existing infrastructure. However, it had limitations that made difficult its use in large-scale audits (e.g. over 50 projects). The effort applied to an audit was not directly reusable to other audits. Another limitation was the exclusive focus on plagiarism and licensing quality, without helping much on the final stage of building a correct distribution package.

With the Xray series 2.x.x you get a state-of-art tool for forensic software discovery that performs these source code verifications deeper and more automatically than ever possible on this industry.

What is new

  • 6x deeper plagiarism detection. If before we could find similar files inside an ocean of data, today the xray provides 6 times more results, albeit at the cost of increased computing time/effort.
  • Horizontal scaling. When one i7 CPU machine is becoming too slow to compute matches, why not distribute this computing effort? This is what we do today. You can add a few more workstations or servers that you have at your reach and use them to run xray in parallel. No special config required, they just need to be on the same network.
  • Automatic inventories. There is a new folder that automatically creates the inventory of third-party items in different formats and includes the respective licensing information for each item. This makes it incredibly easy to always have the software ready for distribution.
  • Global archives. It is now possible to continuously increase the number of items that are recognized. In practice this means that much of the audit effort is today reusable for new audits in the future.
  • Desktop UI. For the audit phase we were missing a proper UI besides the HTML pages that permitted to fully audit projects without requiring a web server to be installed. Today this is possible with a full desktop UI that helps auditors verify each file on the customer project. This reduced the average audit time from 8 hours to about 3 hours of manual effort.
  • Completeness check. The new versions can find dependencies mentioned inside source code files, resource files, executable files and then report back if these dependencies are found inside the code or not. This is useful during an audit to discover if all portions of a software product were included for review or not.
  • Original license terms. An MIT is not just an MIT license, it has a copyright statement that very often is unique. A BSD license is not simpler either, it can have customised clauses and changes that even experienced auditors have difficulty to spot. We are now including the original license terms for each third-party component.

The old version served TripleCheck well, but was showing its wrinckles from age after being built in 2013. Over these past years we've learned so much more about what it means to deliver a clean and compliant software package. Today we are finally reaching a level of automatic forensic inspection that is not possible by any other technology in the market. The next step is assuring that this new edition is stabilized.

Thank you for supporting TripleCheck, it is your feedback that makes this technology possible.