Is that code really yours?
Black Duck protexIP helps protect against license violations, but detection errors limit its usefulness
Click for larger view.
Duck and cover
I found many aspects of the code detection and reporting to be problematic. When I gave the program some code from Jetty, a high-profile open source Web server, protexIP recognized only a few of the files. A few misses would arguably be acceptable. Unfortunately, protexIP found that 64 percent of the files I submitted from the project were clean and did not match anything in its code base. I asked Black Duck Software to run these files for me, which it did, returning the same results. I presume this is because the database is terribly out of date. With such a high rate of false negatives, managers could easily ship open source code unknowingly. Code from other projects I scanned scored higher totals, but my overall impression was that protexIP does not deliver sufficiently on its central promise of vetting code pedigree.
I then examined one of the Jetty files that protexIP did match to see what it found. The results (shown in the screen image, but hard to make out) reported a match with a Jetty file. Two enigmatic figures appeared: 9% and line 1087. Normally, I would assume these numbers referred to the percentage of matching code and the starting line number of the match. But given that my file contained less than 800 lines and was a known 100 percent match, I assumed these columns had another meaning. Unfortunately, the online help system and the manual were of no use. Nowhere are these figures explained. To find out, I was told to open an incident with tech support. (My guess at their meaning was correct. The data was fallacious.)
Taken as a whole, protexIP represents an original solution that could be useful if it were implemented well. The one satisfactory component, the license manager, is badly undercut by the software’s inability to detect the presence of external source code correctly. Between these detection miscues, the insufficient documentation, and rough edges of the interface, it is clear the product needs to progress a fair bit before it can be recommended for adoption.