Open source software license management
By Luke Mcbride
8 minute read time
Organizations are absorbing a huge number of open source software (OSS). Open source comes with unique requirements that are becoming unwieldy to resolve. Companies are allowing licenses they should avoid and failing to achieve open source license compliance. You need software license management automation to exert control and avoid litigation.
Why do I need license management?
The use of third-party software to power development is nothing new. But the wide use of openly developed component software has only been normalized in the last ten years. Today, developers around the world use open source tools to make their lives easier and accelerate the pace of innovation. But the popularity of this approach is rarely understood.
The numbers are surprising – our 2023 data suggests 3.1 trillion open source package or component requests across the four largest third-party software ecosystems: Java, JavaScript, Python, and .NET. That may seem like the peak of a trend, but this is not a unique year. In fact, this pace has only increased over time and shows no signs of slowing down. We're seeing substantial growth in the top four development languages:
Component download increase over 2020 by language
Each one of these downloads represents a software development team requesting an open source software package.
This expansion has caught many projects and organizations off-guard. In particular, every one of those 2.2 trillion software components comes with an OSS license. This is because developers who merely publish their source code don't make it open. "The only way to actually make your code open source and freely available is to attach a license to it" (Ars Technica).
Software developers use licenses to explain usage guidelines, such as whether a program can be used in commercial environments. And terms of use for that license have real consequences, necessitating an open source software license management process.
How many open source licenses are there?
Fortunately, some standardization in licensing has helped organizations more easily meet those terms. Within just Maven Central, 95% of the components are split across just 17 different OSS licenses. Unfortunately, the remaining 5% of components are split across a whopping 307 other licenses.
Additionally, some license types are individually very easy to resolve: "attribution" style obligations need only list out the requirements and give credit to the author. Unfortunately, the task doesn't scale well. The ongoing effort to track usage, monitor changes, and update your documentation is huge, especially as your teams use more and more open source software.
An example of an attribution license present in one of more than 130 unique licenses in the Mozilla Firefox about:license page
Many companies still rely on manual software license management workflows where legal or security teams review each component license. But for typical applications that contain 128 dependencies on average, gathering all the required data can sap up to 58 hours of productivity.
The 614 page March 2022 Zoom open source software license listing (source)
Furthermore, restricting your staff to open source components with only easy-to-resolve licenses ties their hands to only build software within a limited toolset.
You can't take it with you
Although we don't have data on how many companies and organizations are actively adhering to OSS license compliance requirements, there are real legal consequences to ignoring the terms of use.
Worse, some organizations are not keeping an eye on OSS licenses with "copyleft" or share-and-share-alike requirements. This means those who borrow code must give back if they make changes. Copyleft-style licenses like the GNU Public License (GPL) underpin important projects like the Linux kernel and WordPress.
As a result, if code with a GPL license is in use within your software, you may be required to distribute the source code changes along with your software. And the legal reach of GPL licenses may be expanding.
Major companies, including Cisco (2008), BMW (2016), and Vizio (2021) have all experienced issues in this space due to poor license management.
How open source license management software helps
Many companies remain unaware of how much open source they consume, or that their future is likely powered by this technology. In 2019, Gartner noted that only 4% of examined codebases were made exclusively with closed components. Knowing what licenses are in use, what should be disallowed, and how to comply with their terms are crucial to address the ongoing open source takeover.
Fortunately, many initial license processes involve merely collecting and compiling text documents, which can be automated with software tools. Smarter software can address both the scale and variety of open source usage in your organization.
Where to start?
While most developers already know that some licenses are forbidden, that's not the same thing as compliance. Burdening your staff with the necessary monitor and management tasks means time away from building competitive tools and solutions.
You can begin by scanning your application for both software vulnerabilities and license concerns. License management software identifies and flags dangerous licenses and potential compliance and legal violations.
Also available is Sonatype's Advanced Legal Pack, an available enhancement to the Sonatype Lifecycle software. These tools can help you keep an eye on component license information, automate manual tasks, and deliver automated workflows for development, security, and legal teams. And if a project you rely upon changes to a forbidden license, the software can help remediate without major disruption.
New features in the Advanced Legal Pack
Current users can see additional features this month:
-
Attribution Report for Multiple IQ Applications. By combining multiple (often overlapping) projects into one report, organizations can better align legal compliance with software development. This reduces friction between legal and development teams and speeds delivery.
-
"Weak Copyleft" License Fulfillment – This industry-first capability will let companies easily meet requirements for more complex licenses by disclosing the original source code. [1]
By automating license tasks and streamlining legal approval workflows, the Advanced Legal Pack saves developers and legal teams' time and effort. You can also block components that create a burden for your company and build compliance with a wide variety of open source component software.
View of the compliance interface inside the Advanced Legal Pack.
See an overview of these updates as well as a demonstration in the video below:
[1] NOTE: The term "weak" refers to a similarity to standard copyleft licenses, but without the requirement to share the source code of changes. Examples of licenses in this space include the Mozilla Public License in use by Mozilla and LibreOffice, as well as the LGPL used by projects like FFMPEG. You can read more on different license categories.
Written by Luke Mcbride
Luke is a writer at Sonatype covering everything from open source licenses and liability to DevSecOps trends and container security.
Explore All Posts by Luke Mcbride