Software Escrow


Verifying the quality and completeness of deposited software projects is a complex task because the sources that build the basis of the software can be extensive. A human technical reviewer could need many hours to go through all of the artifacts to evaluate them, which can be an essential cost factor. Thus a framework is proposed that supports the verification by automatically evaluating the artifacts and reporting parts that need to be examined manually.

The prototype implementation for the verification framework is based on Sonar, a framework for continuous quality inspection of software. Sonar determines common software quality metrics and checks the compliance to a set of predefined rules of software projects. To meet the requirements of escrow agents our prototype extends Sonar using custom plugins that aim to support the process of inspecting the software and detect quality issues. This is done by highlighting parts for which different metrics assume low quality, but also by checking the conformance to predefined rules.

Further information about software escrow and the software escrow framework can be found on:


In the following screenshot the results that have been calculated by the verification framework running on an exemplary open source project that is written in Java are shown.

For most of the issues listed in the custom rules table it is possible to drill down the issue to the actual source file or even line of code. This can be seen in the second screenshot.

Software Escrow - Overview Software Escrow - Details

Download & Execution

The Software Escrow framework is licensend under the Apache License Version 2.0. Show License Hide License

Copyright (c) 2013/2014 Verein zur Foerderung der IT-Sicherheit in Oesterreich (SBA). The work has been developed in the TIMBUS Project and the above-mentioned are Members of the TIMBUS Consortium. TIMBUS is supported by the European Union under the 7th Framework Programme for research and technological development and demonstration activities (FP7/2007-2013) under grant agreement no. 269940.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTIBITLY, or FITNESS FOR A PARTICULAR PURPOSE. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law or agreed to in writing, shall any Contributor be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work.
See the License for the specific language governing permissions and limitation under the License.

The research prototype is available as Debian package and can be installed on Debian-based operating systems using following commands:

    # add the sonar-escrow repository
    sudo sh -c ‘echo “deb nightly main #IFS/Vienna University of Technology” 
        >>/etc/apt/sources.list.d/ifs-Vienna.list’ && sudo apt-get –quiet update && sudo apt-get 
        –yes –quiet –allow-unauthenticated install olymp-keyring && sudo apt-get –quiet update
    # install sonar-escrow
    sudo apt-get install sonar-escrow

The prototype can be started by calling “sudo service sonar start”, which after a few seconds allows using the web UI (http://localhost:9000) and API of Sonar. The configuration can either be done per project in the configuration file of the Sonar client (e.g. for the Sonar Java Runner) or globally through the admin UI (Settings / Configuration). Widgets for the web UI are an exception, they can only be added and configured through the web UI (Dashboard / Configure widgets).

Further information about the installation and usage can be found on: