Open source software can provide all the common building blocks of modern software, so the project team can concentrate on what makes its application unique. In most cases, those building blocks are free, of good quality, and have an active community making sure it stays up-to-date. This, however, can stay true only because many OSS users are also OSS contributors. In other words, open source is about sharing source code and enhancing it as a community.
This source code sharing principle is enforced through one or more licenses applied to each library. There are many different licenses, and their terms can range from the very permissive to the extremely restrictive. In some cases, a corporate project needs only to disclose which libraries it uses and who holds their copyrights. With other licenses, a corporate project is required to distribute its own source code under the same license, and this can be true even when the project code is used only to deliver a service. That, of course, can conflict with the way a company wants to protect its ability to exploit the commercial value of its software.
This means that open source software library licenses have to be managed properly in corporate projects, taking into account the specificities of the project domain, its distribution mode, and the way OSS is used by the project application. This starts by having an accurate software Bill of Materials (BOM), which is the inventory of OSS libraries used in the project, in order to identify the libraries used and the open source licenses applicable. Some companies maintain a BOM by requiring their developers to declare the open source used. While this is better than not doing anything, libraries often are included without declaration due to lack of awareness or laziness, the sheer volume of open source being used (and its associated dependencies), and even potential malicious intent. A much better approach is to use a software composition analysis tool, especially one with multiple factor mechanisms, such as Black Duck®.
However, that’s just one part of the solution. It can be efficient, but only if used in conjunction with a well-defined and enforced compliance process that includes education, detection, and validation. As each company is different, this process must be tailored to legal requirements of the business, the type of software produced, and the internal organization.