This centralized approach helps the company deal with licensing issues, said Janaka Bohr, SAP's head of global licensing for open source. Before any software is approved, the company's lawyers must check the license to ensure it does not conflict with the company's plans for the product. The centralized approach cuts down on the number of times a lawyer has to check a license and reduces the amount of due diligence work a development team must do.
"In the past our developers had to spend a few hours researching an open source product to find the licenses, to find the technical information," Bohr said.
The Black Duck software also includes a library for scanning code to unveil what open source code is embedded within other applications. SAP doesn't want to inherit, say, a GPL violation, which could force the company to open source the entire program that uses a snippet of GPL code.
The ability to review code has also been crucial in helping SAP in its process of acquiring other companies. Even if SAP didn't use open source software, it would still have to grapple with all the open-source software used by the companies it acquires. Overall, in 15 acquisitions since 2007 (not including Sybase), the company has had to examine 2,000 different software programs.
On Friday, SAP announced that it has finalized its $5.8 billion purchase of Sybase. Although Sybase will continue to operate as a separate company, SAP has still inherited a lot of code in the purchase.
While von Riegen would not comment on the Sybase acquisition specifically, he did say, in general, SAP invests a lot of effort in understanding what code it is acquiring as part of any potential sale.
Although SAP engineers typically are not allowed to review the code of a company that it intends to purchase, the Black Duck software can be used by a third party to scan the software and return a list of what open-source code has been found.
This activity has been tremendously helpful, von Riegen said. It allows SAP to get a handle on the code base of the company it intends to acquire. In one case, a company that it had acquired had claimed to be using no open source code, when, in fact, it had embedded more than 80 open source applications within its own programs.
"Some of the acquisition targets claim that they don't use open source, but when you scan you find quite a lot of open source code," he said. In at least one case, a planned acquisition fell through because the review of the code base revealed far more open source was being used than the takeover prospect had claimed.