Source Code Information Request

Kickdrum provides code evaluation services that help companies understand and manage source code, open source software, and other components that constitute a software codebase. Kickdrum has been asked by our client to conduct a Source Code Evaluation and/or Open Source Risk Assessment.

If you have any questions or difficulties, please contact: code [at] kickdrum [dot] com

NOTE: This form will save your answers as you go, so you can leave it and return later.

Contact Information

Source Code Management (SCM)

What source code management (SCM) systems are being used?

git

TFS/TFVC (Microsoft)

Subversion

CVS

Mercurial

We don't use source code management / version control.

Other (please specify)

Where are the SCM instances hosted?

On-premises

GitHub

GitLab

Azure DevOps

Atlassian BitBucket

AWS CodeCommit

Google Cloud Source Repositories

We don't use source code management / version control.

Other (please specify)

Is any source code managed outside of an SCM system?

A

Yes, some code (e.g., database scripts, deployment scripts, automated test cases, customer-specific customizations) lives outside our SCM systems.

B

No, all code is managed in an SCM system.

Build, Packaging, & Dependencies

What package / dependency managers are in-use?

Gradle

Maven

Nuget

pip

yarn

npm

Ruby Bundler

CocoaPods

We don't use any package / dependency managers.

Other (please specify)

Are any private or self-managed package repositories or caches used?

Artifactory

Nexus

Azure Artifacts

AWS CodeArtifact

apt / yum

We don't use any private or self-managed package repositories or caches.

Other (please specify)

Does the build process leverage containers (e.g., Docker)?

A

Yes, the build process is executed within containers.

B

Yes, the build process produces containers as an output.

C

No, we do not use containers.

Are documented instructions or automated processes available to build all components from source code in a clean environment?

A

Yes, we can provide complete documentation or automation for building all components.

B

No, our documentation and automation is not yet sufficient. Help / support will be required from our team.

Products, Applications, & Repositories

Please identify the products, applications, or similar top-level entities contained in the codebase, and include a short description of each.

Typically Kickdrum thinks of a product as a separately licensable entity by its customers. Depending on the nature of your business this could be distributed software, a SaaS-based web application, a module in a larger scale application, etc.

Were all of these products / applications written by the same team?

A

Yes, all products / applications were developed by the same team.

B

No, multiple teams, contractors, partners, or vendors contributed to the products / applications.

Did any of these products / applications originate from a corporate acquisition, third-party asset purchase, or similar?

A

Yes, some of the products / applications came from external sources.

B

No, all products / applications were created and developed by our company.

Do your engineers use Copilot, ChatGPT, or similar generative AI models when writing code?

A

Yes, and we have a policy guiding its usage.

B

Yes, but we don't have any related policies.

C

No, and we have a policy against its usage.

D

No, and we don't have any related policies.

E

We are unsure if our codebase contains any answers from generative AI models.

Do any repositories contain source code or binaries originating or derived from open source projects?

Yes, we have private repositories that contain such SOURCE CODE.

Yes, we have private repositories that contain such BINARIES.

No, our private repositories do not contain such source code or binaries. However, we do reference, link-to, import, or otherwise make use of open source software.

No, we do not use or reference open source software in any manner.

We are unsure if our repositories contain any open source software artifacts or references.

Has any open source software been modified, forked, or published?

Yes, we have PRIVATE repositories that contain modifications or forks of open source software.

Yes, we have or maintain PUBLIC repositories that contain modifications or forks of open source software.

Yes, we have or maintain PUBLIC repositories that contain open source software that we have published (i.e., open source software that you have created).

No, we have neither modified nor published any open source software.

No, we do not use or reference open source software in any manner.

We are unsure if our repositories contain any open source software artifacts or references.

Please provide the following details about each code repository:

Repository name / ID (or base folder location within the codebase structure)

Application / Product to which the repository belongs

Purpose - describe whether each repository is internal use tooling or distributed and/or hosted

Primary programming languages and versions (Java 11, C# 8, Python 3, Angular 10, T-SQL 2017)

Lines of code - estimated/ballpark count is okay - please consider using a tool like "cloc" or "scc" to count the lines of code per repository with a breakdown by file extension

Enter details here...

Or download this XLSX template: https://kickdrum.com/s/Source-Code-Information-Repositories.xlsx

Then, upload the completed template here:

Open Source Software Policies, Procedures, & Inventory

Please upload a copy of your policies and procedures around open source usage and approved licenses (if available).

Please upload an inventory / report containing details of third-party commercial and open source components. Please include reports from a Software Composition Analysis (SCA) tool, such as Black Duck, Mend, FossID, or Snyk (if available).

Source Code Access

Up to three Kickdrum team members will require read-only access to the SCM instances, with multi-factor authentication (MFA) enabled, to clone the code to a secure analysis environment. Please advise if there are any challenges or concerns with respect to providing this access:

Up to three Kickdrum team members will require read-only access to the SCM instances, with multi-factor authentication (MFA) enabled, to clone the code to a secure analysis environment. Please advise if there are any challenges or concerns with respect to providing this access:

A

No problem; we have an approval process and the ability to grant secure access

B

This requires further discussion with the company