16 June 2023

Feature Focus: OSS Component Lifespan Insights

CAST Highlight automatically calculates a lifespan status on open-source software (OSS) components. This status identifies whether a component is active, possibly deprecated, or immature. See in this article how the feature works and how to leverage this new SCA insight for more informed decisions.

Imagine you’re in need of heart surgery, a procedure that requires skilled hands and expertise. You want to ensure that the surgeon who will perform the operation is not only actively practicing but also has a proven track record of successful surgeries. Now, the question is: “Would you entrust your life to an inexperienced, junior doctor, or to one who has long retired from the field?”

Similarly, in the world of software development, integrating OSS components into your business critical application is akin to entrusting the health and stability of your project to these components. Assessing their lifespan status – whether they are active, possibly end of life or conversely too new – is an important aspect of open source governance. CAST Highlight automatically calculates this lifespan status based on components’ release dates. See how it works in detail.

Three different lifespan status values are automatically calculated on components:

Possibly Deprecated: this tag is applied to components which have had no versions released in the past five years
Active: this tag is applied to components having versions released in the last 5 years
Possibly Immature: this tag is applied to components for which the oldest version is less than 12 months old, except if at least two of the versions have been released within 6 months of each other

At the portfolio level, you can view the lifespan status of components from the Software Composition dashboards, under the ‘Components’ tab. In this view, a new column has been added to the component table.

This status is also displayed when opening the component timeline, for a given component.

Lifespan status is also available at the application level, under the Software Composition tab, as well as in the SBOM export and the API (WS2/domains/{domainId}/applications/{applicationId}/thirdparty).

This additional OSS risk insight complements the existing insights related to security vulnerabilities (CVEs) and potential license/IP issues. It acts as a trusted advisor, guiding you towards components that are actively maintained and proven to be reliable. Just as you would choose a skilled and experienced surgeon for your heart surgery, this feature enables you to select the most dependable OSS components for your projects.