Resources Blog How to manage your open source licenses in 2022

How to manage your open source licenses in 2022

Organizations are absorbing a huge amount of open source component software. These tools come with unique requirements that are becoming unwieldy to resolve. At the same time, companies are allowing licenses they should avoid and not complying fully with included terms. You need automation to help manage this situation and avoid litigation.

Why do I need license management?

The use of 3rd-party software to power development is nothing new. But the wide use of openly developed component software has only been normalized in the last ten years. Today, developers around the world use open source tools to make their lives easier and accelerate the pace of innovation. But the popularity of this approach is rarely understood.

The numbers are surprising – our 2021 data suggests open source package or component downloads totaling 2.2 trillion from third-party software ecosystems. That may seem like the peak of a trend, but this is not a unique year. In fact, this pace has only increased over time and shows no signs of slowing down. We're seeing substantial growth in the top four development languages:

Growth in component downloads by language

Component download increase over 2020 by language

Each one of these downloads represents a software development team requesting an open source software package.

This expansion has caught many projects and organizations off-guard. In particular, every one of those 2.2 trillion software components comes with some kind of legal agreement. This is because developers who merely publish their source code don't make it open. "The only way to actually make your code open source and freely available is to attach a license to it" (Ars Technica).

Open source software developers use licenses to explain usage guidelines, such as whether a program can be used in commercial environments. And terms of use for that license have real consequences.

How many open source licenses are there?

Fortunately, some standardization in licensing has helped organizations more easily meet those terms. Within just Maven Central, 95% of the components are split across just 17 different licenses. Unfortunately, the remaining 5% of components are split across a whopping 307 other licenses.

Additionally, some license types are individually very easy to resolve: "attribution" style obligations need only list out the requirements and give credit to the author. Unfortunately, the task doesn't scale well. The ongoing effort to track usage, monitor changes, and update your documentation is huge, especially as your teams use more and more open source software.

The about:license view inside Mozilla Firefox

An example of an attribution license present in one of more than 130 unique licenses in the Mozilla Firefox about:license page

Many companies still rely on manual workflows where legal or security teams review each component license. But for typical applications that contain 128 dependencies on average, gathering all the required data can sap up to 58 hours of productivity.

Screenshot of Zoom's open source software license usage listing

The 614 page March 2022 Zoom open source software license listing (source)

Furthermore, restricting your staff to open source components with only easy-to-resolve licenses ties their hands to only build software within a limited toolset.

You can't take it with you

Although we don't have data on how many companies and organizations are actively complying with their open source requirements, there are real legal consequences to ignoring the terms of use.

Worse, some organizations are not keeping an eye on "copyleft" or share-and-share-alike requirements. This means those who borrow code must give back if they make changes. Copyleft-style licenses like the GNU Public License (GPL) underpin important projects like the Linux kernel and WordPress.

As a result, if code with a GPL license is in use within your software, you may be required to distribute the source code changes along with your software. And the legal reach of GPL licenses may be expanding.

Major companies, including Cisco (2008), BMW (2016), and Vizio (2021) have all experienced issues in this space due to poor license management.

Where is my mind-share?

Many companies remain unaware of how much open source they consume, or that their future is likely powered by this technology. In 2019, Gartner noted that only 4% of examined codebases were made exclusively with closed components. Knowing what licenses are in use, what should be disallowed, and how to comply with their terms are crucial to address the ongoing open source takeover.

Fortunately, many initial license processes involve merely collecting and compiling text documents, which can be automated with software tools. Smarter software can address both the scale and variety of open source usage in your organization.

Where to start?

While most developers already know that some licenses are forbidden, that's not the same thing as compliance. Burdening your staff with the necessary monitor and management tasks means time away from building competitive tools and solutions.

You can begin by scanning your application for both software vulnerabilities and license concerns.

Also available is Sonatype's Advanced Legal Pack, an available enhancement to the Sonatype Lifecycle software. These tools can help you keep an eye on component license information, automate manual tasks, and deliver automated workflows for development, security, and legal teams. And if a project you rely upon changes to a forbidden license, the software can help remediate without major disruption.

New features in the Advanced Legal Pack

Current users can see additional features this month:

  • Attribution Report for Multiple IQ Applications. By combining multiple (often overlapping) projects into one report, organizations can better align legal compliance with software development. This reduces friction between legal and development teams and speeds delivery.

  • "Weak Copyleft" License Fulfillment – This industry-first capability will let companies easily meet requirements for more complex licenses by disclosing the original source code. [1]

By automating license tasks and streamlining legal approval workflows, the Advanced Legal Pack saves developers and legal teams' time and effort. You can also block components that create a burden for your company and build compliance with a wide variety of open source component software.

Advanced Legal Pack screenshot

View of the compliance interface inside the Advanced Legal Pack.

See an overview of these updates as well as a demonstration in the video below:

[1] NOTE: The term "weak" refers to a similarity to standard copyleft licenses, but without the requirement to share the source code of changes. Examples of licenses in this space include the Mozilla Public License in use by Mozilla and LibreOffice, as well as the LGPL used by projects like FFMPEG. You can read more on different license categories.

Picture of Luke Mcbride

Written by Luke Mcbride

Luke is a writer at Sonatype covering everything from open source licenses and liability to DevSecOps trends and container security.