What we do

Software Composition Analysis is the activity for listing in detail what is used inside a software product.
This includes listing the respective copyright holders and applicable legal terms, which can be either open source or under proprietary license terms.

On behalf of the customer, TripleCheck will proceed to:

  • 1) Fully identify the third-party software components present on the product
  • 2) Audit the license compatibility for the identified third-party components/snippets
  • 3) Prioritize and solve license conflicts (if any) with the customer development team
  • 4) Properly mark the source code that is IPR of the customer and the IPR of third parties
  • 5) Prepare the software as a package for distribution to other parties
  • 6) Provide an official compliance certificate by TripleCheck, as independent auditor
  • 7) Issue a warranty for this product, valid for two years


The TripleCheck technology was first released to public in 2013 and is continuously improved with the feedback from customers. The main product is called Xray, which is currently on its second generation of releases.

TripleCheck as a forensic auditor, performs the following activities:

  • • Collecting an offline archive of publicly available software
  • • Detecting license terms on the software surface
  • • Detecting software plagiarism
  • • Generating software inventory lists (also known as Bill Of Materials)

The offline archive spans to about 2.5 petabytes of software collected from diverse public sources on the Internet over the years, namely github, sourceforge, bitbucket, stackoverflow, among others. This data is archived inside its own premises, from which are built the fingerprint databases that are later used for the offline matching of source code files and snippets.

In 2018, the TripleCheck Open Source archive amounts to 1,9 billion file fingerprints and 1,2 billion code snippets (methods, functions) from 55 programming languages. Technology-wise, only TripleCheck has the forensic capacity for identifying similar binary files in large scale, in addition to the exact fingerprint matching based on SHA1.

Security and privacy

TripleCheck has experience working on environments where the customer infrastructure requires a high standard for security and data privacy, including the following characteristics to its service:

  • • 100% offline tooling and databases. No network access required nor used for the third-party software identification
  • • Auditable tools. When necessary, we provide the source code for the tools used within the customer secure environment
  • • On-premise verifications. When desired, we conduct the activities inside the customer premises, using the customer provided hardware.

Our staff is trained and experienced on the handling of sensitive information. TripleCheck will make the necessary adjustments in order to comply strictly with the customer security and privacy requirements.

Data needed for price quote

The default data used for price quotes are the lines of code.

On top of this estimation may be added other factors such as license complexity, urgency of delivering results, or extra effort required for the audit. The detailed pricing list is provided on the next section. For calculating the LOC (lines of code) and code complexity, TripleCheck provides an offline tool that can be downloaded from:


This tool does not modify any files on your disk, nor uses any network connection: it runs offline. The usage instructions are provided on the webpage, it will generate a single line of text that contains the information that is necessary for a complete quote.

The text signature is a short snippet that will look similar to:


For the sake of transparency, each value within “-” is respective to:

  • 1) total file size
  • 2) number of files
  • 3) number of LOC
  • 4) number of license references with higher risk (type A, e.g. copyleft licenses)
  • 5) number of license references with lower risk (type B, e.g. permissive licenses)

    • Each value represents a number. This number is represented on clear text inside the tool log and then converted to a different representation so that its content is kept minimally private while transiting through email.

      On this example, the value “iz” represents the number of 683 files. This can be verified through an online tool such as https://www.dcode.fr/base-n-convert where the radix number should be set as 36, then typing “iz” on the “numbers to convert” box and finally clicking on the “convert numbers” button. Using the same method for 24fj we obtain 99055 LOC and so forth.

      When possible, TripleCheck recommends that the software to be verified is placed inside a single folder, where the tool can then generate a text signature for that folder on a single run.

      Understanding that the software to be verified from the customer might be large and that combining the folders might be a difficult task, it is possible to simply provide a list with the text signatures and then TripleCheck will combine them together.

      Once the data is gathered, an exact quote can be provided, using the pricing list detailed on the next section.

Initial deliverables

On its first stage, TripleCheck creates a detailed inventory of the third-party items.

During this first stage verification are often found items that need correction (e.g. item with a problematic license). When generating the inventory and discovering such item, TripleCheck will inform the customer as early as possible about the item and propose a solution to address the issue. This permits the customer to have an early warning and enough time for deciding on the course of action.

The final output from the first stage a set of reports that detail each of the third-party items inside the verified products. These reports are made available in HTML, Excel and text formats.

If the verified software is compliant with the software reuse list at this stage, TripleCheck produces an official statement (certificate) to prove the compliance.

When the software has items that need further work, this is called as second stage where TripleCheck is supporting the development teams with licensing advice (included on the warranty) and re-evaluating the output from newer scans. Products reaching this stage are typically compliant after the development team completes the corrective changes, which tend to take between 2 to 4 calendar-months, the official statement is then produced by TripleCheck.

The third-stage is maintenance, meaning the schedule of periodic verifications after each 6 or 12 months to assure that non-contamination is preserved. This is included with the two-year warranty, which can be extended by the customer.

Documenting the source code

During the verification, TripleCheck will be marking in detail which code belongs to the customer, and which code belongs to other parties (e.g. OSS libraries, proprietary code). For that purpose, TripleCheck creates a special folder called “inventory” where the necessary legal documentation is stored. Details about what is generated and stored on this folder can be found on the following location:


This folder is what permits customers to prove their compliance with the third-party license requirements for their products. An example of the inventory is provided with the document.

Warranty scope

TripleCheck is the only provider including a two-year warranty with each software verification.

This warranty protects the audited software up to two years, it is applicable up to 30% of modifications from the original code to permit customers to continue the product development.

The customer will receive at no extra charge the technical support for the next two years, even as new third-party software items continue to be added by the customer development team.

The following features are included:

  • 1) Expert email/phone support to clarify open source conflicts/questions (reasonable use)
  • 2) Routine scans at periodic time intervals (typically 6 months) to verify compliance
  • 3) Warranty remains valid until a maximum of 30% changes on the source code files