A clean-room Java supply chain
Enterprise procurement wants a bill of materials and a clean license story before you get in the door. TheAuditor now ships both: a signed component inventory and a copyleft-free build.
Before a security tool gets near a regulated codebase, procurement asks two questions that have nothing to do with how good it is. What is inside it, and what are you obligated to because of what is inside it. TheAuditor now answers both, up front.
A signed bill of materials
Every release ships a software bill of materials: a machine-readable inventory of every third-party component bundled into the tool, in the standard CycloneDX format, covering all of its ecosystems in one document. It lists a little over a hundred components with their versions, and it is signed, so your team can verify it hasn’t been altered and that the binary’s contents match what the inventory claims. When a dependency you rely on turns up in a CVE next year, you answer “are we affected?” by reading a file instead of guessing.
A copyleft-free build
We removed the last copyleft dependency from the shipped Java build and replaced it with a permissively licensed equivalent. That matters because copyleft obligations can attach conditions to how you distribute a binary that links against them, and those conditions are exactly the kind of thing that stalls a deployment in legal review. There are none of them left to trip over.
One component with a stricter license does still ship, and it carries an explicit exception that permits its use inside a closed-source binary. That exception is reproduced in full in the bundled license file, so the clearance is documented rather than assumed.
Why “clean room” is the point
None of this makes TheAuditor find more bugs. It makes TheAuditor deployable. A tool can be the best analyzer on the market and still never get installed because nobody can vouch for its supply chain. Shipping a signed inventory and a clean license story means the answer to “can we actually use this?” is a document you hand to your own compliance team, not a promise from us.
This is the same discipline that runs through Code Reality Labs: claims you can verify, not ones you take on faith. TheAuditor’s public binary lands when its hardening checks pass. Subscribe on the main site for launch notifications.
Was this useful?