As a user of open source code, Hewlett-Packard wanted to know what licenses governed the code it was bringing in-house. So it produced a tool that could identify the licenses.

Instead of just visiting a project's site to see what license was listed, it analyzed the code itself, identified the declared licenses, and looked for key phrases that indicated other licenses were in use as well. The tool is being expanded into a multitool framework, called "Fossology," or instruments for studying free and open source software (FOSS). Early this year, HP made its code-analysis tool the focus of an open source project to expand its capabilities.

It's available for download at Fossology.com.

"Customers we talk to say, 'We know we're using a little bit of Apache and Linux.' Then we talk to the Web developers and they tell us every sales system on the Web site was built with open source, and it's running billions in transactions," said Karl Paetzel, HP's marketing manager for Linux and open source code, at the Open Source Business Conference on Wednesday.

For companies to stay clear of entangling licenses, they need to know what they're using. If they build an in-house system around code that was issued under the GPL, they need to know how many obligations that incurs if they distribute the code to any outside users, warned Paetzel.

Fossology.com represents much of what HP presents to prospects when it gives them a one-day presentation on how they might need to implement open source governance if they're becoming a bigger user of open source code.

In-house development efforts or, for that matter, code contributed to an open source project needs to be checked to see if it has an origin other than the one the submitter declares. "If somebody has produced code based on open source, we can detect that, even if they've changed the headers and variables," said Paetzel.

Two companies, Palamida and Black Duck, also have code analysis systems. Each can compare a piece of code to large repositories of known source code and see whether any of its lines have origin other than the claimed author. "From my perspective, those companies are the experts," said Paetzel, suggesting that compliance and other legal concerns might be better satisfied by relying on a professional service than a free online service.

Coverity is a source code analysis firm that looks for security exposures in a piece of code. It is operating under a $300,000 contract with the Department of Homeland Security to check the output of open source projects and alert them to any identified exposures.

HP also offers a second Web site, Fossbazaar.org, that hosts discussion groups and information resources on how to adopt and manage open source code. One element of its consulting services is open source governance, announced in late January.