There are many ways to categorize open source license risks. Our software audits group classifies risks based on priority. For example, some licenses in your codebase might be OK to use as is, but others might be in conflict with other licenses, so you'd need to research them before proceeding. We further classify risks based on type of license (e.g., permissive or restrictive), which reflects your legal exposure if you use components that have those licenses.
Our guide to the top open source licenses lists some of the most popular open source licenses according to these risk categories:
Low risk. Permissive licenses are consider low risk because it's easy to meet their reuse requirements: Usually you just have to retain the copyright notice, but you don't have to expose your source code. Examples are the Apache and MIT Licenses.
Medium risk. Semi-permissive licenses, sometimes referred to as limited licenses, weak copyleft licenses, or simple copyleft licenses, are considered medium risk because if you modify the code, you have to release the modifications, but not your whole application, under the same license. Different licenses define "modification" differently. Examples are the Mozilla and the Eclipse Public Licenses.
High risk. Restrictive licenses carry a great deal of legal risk. If you use a component with one of these licenses, you might be legally obligated to release your entire application code. Examples are the GNU GPL and GNU LGPL.