Software Integrity Blog

 

The advanced license compliance functionality you didn’t know your SCA tool needed

Open source license noncompliance can have severe implications. Here are four advanced license compliance features that help protect your proprietary code.

The advanced license compliance functionality you didn’t know your SCA tool needed

The Black Duck product team has been hard at work developing advanced functionality for the Black Duck product. A key area of progress is open source license compliance. Open source license risks may not be as headline-grabbing as a big security breach, but their implications can still be severe.

According to copyright law, using software in any way requires permission in the form of a license describing the rights conveyed to users and the obligations those users must meet. Despite its reputation for being “free,” open source software is no different from any other software in that its use is governed by a license. So ensuring you are adhering to all license obligations associated with the open source in your applications is as important as understanding its potential security or operational risks.

The 2020 Open Source Security and Risk Analysis report found that of the 1,253 codebases analyzed, 73% of them contained components with license conflicts or no license at all.

4 advanced license compliance features

The Black Duck product harnesses the power of our multifactor scanning functionality, our comprehensive KnowledgeBase™, and our advanced license data to allow customers to mitigate license risk with their open source use. Here are four advanced license compliance features you’ll find in Black Duck software composition analysis:

4 advanced license compliance features

Snippet scanning

Black Duck has fully featured snippet scanning to ensure it detects all open source when scanning. While a small snippet of code pulled from a component is unlikely to harbor security vulnerabilities, it does still carry with it license compliance obligations.

Black Duck allows you to run snippet scanning for files that other scan methods didn’t match. Snippet scanning identifies fragments of code that match with one or more files in our KnowledgeBase (KB). You can view the matched code side-by-side with the KB code, confirm the match so it appears on the bill of materials, and view the associated license information.

License and copyright detection via string search

In addition to snippet scanning, Black Duck can scan your file system to find license or copyright references in the codebase. For example, if a user has modified an open source component and included GPL license text, or copied in a copyright notice, our string search capability will pick it up. This functionality allows for even deeper detection in your open source and proprietary database for licenses or copyrights not declared by a component but still carrying potential compliance obligations.

License terms

The Black Duck product shows you more than just the license associated with the open source component. You can easily view both full license text and easy-to-read summaries of the license rights, restrictions, and obligations (we often refer to this information as what you “can do,” “can’t do,” and “must do” to comply). You can even define custom license terms to empower your legal teams to advise developers on the company’s internal terms.

Black Duck shows you more than just the license associated with the open source component.

Deep license and copyright data

Many teams need to see beyond just the declared or primary license or copyright info. So Black Duck enables you to augment projects with file-level license data. Open source components can have embedded licenses, so seeing beyond what’s been declared is imperative for mitigating license risk in your applications. Black Duck also shows copyright data down to the file level, with the ability to edit and save that copyright data at the component level and include it on Notices Reports to ensure license compliance.

The Black Duck team has been working hard to provide customers with the most advanced open source license compliance functionality. Want a demo?

Schedule a Black Duck demo

 

More by this author