OPEN SOURCE MANAGEMENT
Open source management for the software you actually ship.
SBOMs from CI and suppliers resolve into one governed inventory — licenses, vulnerabilities, and maintenance status for every component.

Open source carries the application. The risk it brings rarely sits anywhere you can query when it matters.
Inventory
The list is incomplete.
Transitive dependencies and vendored code never reach a spreadsheet, so when a CVE lands you cannot answer "do we use this, and where?"
Licenses
Obligations go unreviewed.
Copyleft and unknown licenses reach production because nobody mapped obligations to the components that carry them.
Maintenance
Dependencies rot quietly.
A library picked two years ago gets archived upstream, and nothing tells you it is now unmaintained.
You cannot govern what you have not inventoried.
Every SBOM, from CI or a supplier upload, resolves into one inventory you can query by package, license, vulnerability, or maintenance status.
01
One inventory for every component you ship.
Each SBOM feeds an organization-wide package list. See every version of a component in use, the products that ship it, and its PURL and ecosystem in one place.
Cross-product package view, not one SBOM at a time
Version tracking across the whole portfolio
Transitive and vendored components included
02
Know every license obligation before you ship.
License expressions are parsed to the SPDX standard and run through an approval workflow. Obligations such as attribution, source disclosure, and copyleft are tracked per license, with custom licenses alongside the standard catalog.
Approved, Rejected, and Unreviewed approval states
Obligation tracking on every license
Custom, non-SPDX licenses in the same inventory
03
New CVEs map back to versions you already shipped.
Components match against NVD, GitHub Security Advisories, and OSV, then enrich with EPSS, CISA KEV, and CWE. VEX dispositions record your team's response so the same finding is not triaged twice.
NVD, GitHub Security Advisories, and OSV correlation
EPSS and KEV for prioritization, not just CVSS
VEX disposition tracking on every finding
04
Catch dependencies the internet stopped maintaining.
Support Analysis reads package-registry and repository signals to grade each component's maintenance status, surfacing OpenSSF Scorecard and health scores so you replace risky dependencies on your schedule, not after a breach.
Graded from Actively Maintained down to Abandoned
Registry deprecation plus repository activity signals
OpenSSF Scorecard and per-package health scores
Obligations are attached to each license in the inventory, so a component's requirements travel with it across every product that uses it.
Attribution
MIT
BSD
Apache-2.0
Include the copyright notice and license text in your distribution.
Source disclosure
GPL-3.0
LGPL
Make corresponding source code available to recipients.
Copyleft
GPL-2.0
GPL-3.0
Derivative works must be released under the same license.
Patent grant
Apache-2.0
The license includes an explicit grant of patent rights.
Network copyleft
AGPL-3.0
Source must be offered to users who interact over a network.
From upload to governed inventory in four steps.
1. Ingest
SBOMs arrive from GitHub, GitLab, and Bitbucket on push and pull request, from pylynk or the GraphQL API in CI, or from a supplier upload link.
2. Resolve
Components are parsed into the organization-wide package inventory and their license expressions matched to the SPDX catalog.
3. Enrich
Each component picks up vulnerability matches, EPSS and KEV status, maintenance level, and OpenSSF Scorecard results.
4. Govern
Policies gate on license, vulnerability, and support level per environment. Violations surface as tickets in Jira or Linear and alerts in Slack.
Replace the spreadsheet and the standalone scanner.
Manual + scanner-only
✕ Inventory lives in a spreadsheet that drifts from the build
✕ Licenses reviewed once, if at all, with no approval trail
✕ Scans run at release and forget the version afterward
✕ No signal when a dependency is abandoned upstream
✕ Findings sit in a report nobody routes to an owner
With Interlynk
✓ One inventory updated on every build, across products
✓ License approval workflow with obligations tracked
✓ Continuous monitoring maps new CVEs to shipped versions
✓ Maintenance status graded for every component
✓ Policy violations routed to Jira, Linear, and Slack
Open source management, answered.
What is open source management?
It is keeping an accurate, current inventory of the open-source components in your software and governing the risk they carry: license obligations, known vulnerabilities, and maintenance status. Interlynk inventories components automatically, reviews licenses against an approval workflow, monitors for new CVEs, and flags components that are no longer maintained.