Black Duck provides a comprehensive SCA solution for managing security, quality, and license compliance risks associated with open source use.
Given today’s development trends, your organization is undoubtedly leaning heavily on open source in any number of ways. According to Synopsys’ annual Open Source Security and Risk Analysis (OSSRA) report, we found that 75% of the 1,500 codebases scanned were made up of open source. This affirms our annual finding that open source software serves as the foundation for the majority of applications across industry verticals. Of particular concern are our discoveries around license compliance: organizations are clearly struggling to manage license requirements, and sometimes are making no effort to manage them at all.
Of the 1,500 codebases we scanned, 90% contained open source components with license conflicts, customized licenses, or no license at all. 65% of the codebases audited in 2020 contained open source software license conflicts, typically involving the GNU General Public License.
One might ponder why open source, which by its definition is free, involves licenses of any kind. It is important to understand that “free” in this context does not free you from intellectual property obligations. All three issues (license conflicts, customized licenses, and no licenses) require evaluation for potential intellectual property infringement or other possible legal concerns. This is particularly true in the context of a merger and acquisition due diligence process.
Open source license compliance poses immeasurably large risks for organizations that have no grasp on their level of license conflict exposure. Take, for example, the 2008 Cisco lawsuit: the Free Software Foundation (FSF) sued Cisco for selling products that contained open source, which violated the related GPL and LGPL license obligations. This lawsuit resulted in a settlement for FSF, but the damage was done; financial and reputational implications to Cisco were costly and long-lasting.
Know your risk. There are different levels of risk associated with license obligations. Knowing what licenses are in your open source and how risky they are is critically important. These are just a few of the licenses you should consider; read our blog for a more comprehensive dive on the top open source licenses.
And just because there is no license associated with a component, doesn’t mean there is no risk. Components without licenses still carry copyright obligations, at least in the U.S.
In order to tackle open source license compliance, you need both tools and practices in place that:
Synopsys’ Black Duck Software Composition Analysis (SCA) solution helps you manage security, quality and license compliance risks associated with the use of open source and third party code. Black Duck’s industry-leading capabilities exceed basic licensing concerns, delivering the most comprehensive and hands-off open source management offering.
Customized rules. Black Duck allows you to define policy based on your organization’s risk tolerance and the software you are developing. Examples of customized policies you can create include:
Superior open source identification. Black Duck effortlessly identifies open source components in your code. Black Duck offers:
Unmatched intelligence. Black Duck matches open source, or license lines, to known licenses using our proprietary Knowledge Base. As the industry’s most comprehensive database of open source project, license, and security information, our KB covers more than 3.8 million open source components from over 20,000 forges and repositories and tracks more than 3000 unique licenses.
Deep license analysis. Declared licenses can often be inaccurate or incomplete, so Black Duck does deep license analysis which inspects source and other files within packages looking for undeclared licenses. We can also scan custom code to ID license text and obligations, which could have potentially been added by developers or are indications that code was copied from open source.
Effortless enforcement and critical feedback.
If you are struggling to address or understand license compliance obligations and concerns, or you want to improve your risk posture, Black Duck can help.
Mike McGuire is a senior software solutions manager at Synopsys where he has spent several years leading go-to-market efforts for open source risk and software supply chain security solutions. After beginning his career as a software engineer, Mike transitioned into product management and strategy roles, as he enjoyed interfacing with the buyers and users of the products he worked on. Leveraging several years of development experience, Mike enjoys connecting the market’s complex AppSec problems with Synopsys’ comprehensive solutions.