Top open source licenses and legal risk for developers

Learn about the top open source licenses used by developers, including the 20 most popular open source licenses, and their legal risk categories.

If you’re a software developer, you probably use open source components and libraries to build software. You know those components are governed by different open source licenses, but do you know all the license details? In particular, the technical and somewhat convoluted licensing conditions that could pose compliance challenges?

The main problem in this context is that open source licenses are subjective. Their interpretation depends on the technical usage of the licensed software. Therefore, it’s difficult to determine the legal risks of using open source software, especially for developers, who are not usually legal experts. What developers need is a broad classification of licenses based on the risks they pose in terms of legal compliance.

Here, we’ve categorized the most popular open source licenses into three broad groups depending on their terms and conditions and their potential legal risks.

Top open source licenses by risk

Following is a list of the most popular open source licenses used by developers and their risk classification as described above. This classification is only a guideline and should not be used to make decisions about using open source software governed by each license. Developers should consult their legal/technical teams for further guidance regarding license compliance.

Other popular open source licenses by risk

These licenses don’t make the top list, but they’re still in wide use.

Low risk: Permissive licenses

Permissive licenses generally do not have real limiting conditions. Rather, they usually require that you keep the copyright notice in place when you distribute your own software. This basically means that you can use and change the open source software as needed as long as you keep the copyright notices intact. Some top open source licenses in this category are the Apache and MIT licenses. We rate permissive licenses as LOW risk licenses.

Medium risk: Semi-permissive licenses

Semi-permissive licenses usually require that if you modify the open source code, you make these modifications available under the terms of the given license. Some of these licenses explicitly define what a modification is. For instance, they might consider copying unmodified open source code into proprietary code to be a modification. To comply with the license obligations, the developer would have to release the source code (original, modified, and newly added). The most popular open source licenses in this category include the Mozilla and the Eclipse Public Licenses. We rate semi-permissive licenses as MEDIUM risk licenses.

High risk: Restrictive licenses

Some top open source licenses, such as GPL 3.0 and AGPL, are quite restrictive. Depending on how you integrate the open source software with your proprietary software, you may face significant risk. In the worst-case scenario, you may be required to release your proprietary software under the same license—royalty-free. We rate restrictive licenses as HIGH risk licenses.

How to manage open source license risk

Black Duck software composition analysis enables you to discover open source components in your proprietary software and their corresponding open source licenses and vulnerabilities to help mitigate the legal and security risks. Black Duck applies state-of-the-art scanning mechanisms to find the most comprehensive list of open source software (both source and binary) used in your software. Furthermore, Black Duck provides capabilities to contextualize operational risks originating from various licenses and security vulnerabilities through a rule-based engine.

Learn more about Black Duck software composition analysis

This post was originally published Dec. 30, 2016, and was refreshed Oct. 21, 2019.