All Synopsys
Silicon Design & Verification Silicon IP Software Integrity About Us
Support
SolvNet Software Integrity
Global Sites
日本サイ ト 中文网站 中文網站 Сайт Россия Deutsche Webseite

Software Integrity Blog

«
»
 

Top open source licenses and their legal risk categories

Posted by on Friday, December 30th, 2016

Before using an open source component, you should know what legal risk it carries. Here are the top open source licenses and their risk categories.

Classification of open source licenses: A developer’s perspective

Throughout my career, I have used various open source libraries (software or freeware) to build software systems primarily for data management and analytics applications. I knew the software may be governed by different types of open source licenses, but I did not necessarily know the details, in particular about those technical and somewhat convoluted licensing conditions that could pose compliance challenges.

The main problem in this context is that licenses are subjective and their interpretation depends on the technical usage of the corresponding open source software. Therefore, it’s difficult to determine the level of legal risks (even before knowing the precise compliance issues) involved in using open source software. In general, what helps developers (who are usually not legal experts), regardless of how they are using or integrating open source software, is a broad classification of licenses based on the risks they pose in terms of legal compliance.

Any classification (legal or technical due diligence aside) will be subjective at some level. However, depending on the licensing terms and conditions and the risks they pose in the context of technical legal compliance, many licenses can be broadly categorized into three basic groups. Many thanks to my former colleague Stefan Gustafsson for initial work on the license classification problem.

Low risk permissive open source licenses

Permissive open source licenses generally do not have real limiting conditions. Rather, they usually include the not-so-trivial requirement of keeping a copyright notice in the distribution of the corresponding open source software. This basically means that you can use the open source software as needed (while making any changes) as long as you keep the copyright notices intact. Some licenses in this category are the Apache and MIT licenses. We can rate permissive licenses as LOW risk licenses.

Medium risk semi-permissive licenses

Semi-permissive licenses usually require that if you make modifications to the underlying computer programs (i.e., software code), you make these modifications available under the terms of the given license. This means that if you modify an open source software under such a license, then you may be required to provide access to the source code of the modifications and make the relevant source code available under the license.

Some of these licenses explicitly define what a modification means. For instance, copying unmodified open source code into proprietary code can be treated as modification. To comply with the obligations in this scenario, the developer has to release the source code (original, modified, and newly added). Some licenses in this category are the Mozilla and the Eclipse Public Licenses. We can rate semi-permissive licenses as MEDIUM risk licenses.

High risk restrictive licenses

Some open source licenses, such GNU GPL and GNU LGPL, are quite restrictive in terms of viral, copyleft, and hereditary characteristics. Depending on the technical integration of the open source software with proprietary software, there is a significant risk in using such open source software. In the worst-case scenario, developers may be required to release their proprietary software under the same license—royalty-free. We can rate restrictive licenses as HIGH risk licenses.

Top 31 open source licenses by risk

Following is a list of the most frequently used open source licenses (but it’s not an exhaustive list) used by developers and their risk classification as described above. This classification is only a guideline and should not be used to make decisions about using open source software governed by each license. Developers should consult their legal/technical teams for further guidance regarding license compliance.

License name Risk level License source
2-Clause BSD (“Simplified” or “FreeBSD”) License LOW http://opensource.org/licenses/BSD-2-Clause
3-Clause BSD (“New” or “Revised”) License LOW http://opensource.org/licenses/BSD-3-Clause
Apache License 2.0 (Current) LOW https://www.apache.org/licenses/LICENSE-2.0
Apache License 1.1 (Historic) LOW https://www.apache.org/licenses/LICENSE-1.1
Apache License 1.0 (Historic) LOW https://www.apache.org/licenses/LICENSE-1.0
ANTLR License LOW http://www.antlr.org/license.html
Boost Software License 1.0 LOW http://www.boost.org/users/license.html
Code Project Open License (CPOL) LOW http://www.codeproject.com/info/cpol.aspx
ICU License LOW https://spdx.org/licenses/ICU.html
INFO-ZIP License LOW http://www.info-zip.org/license.html
Jaxen License LOW https://mvnrepository.com/artifact/jaxen/jaxen/1.1.6
MIT License LOW http://opensource.org/licenses/MIT
Zlib/Libpng License LOW http://opensource.org/licenses/Zlib
Common Development and Distribution License 1.0 (CDDL-1.0) MED http://opensource.org/licenses/CDDL-1.0
Common Public Attribution License 1.0 (CPAL-1.0) MED http://opensource.org/licenses/CPAL-1.0
Common Public License MED http://opensource.org/licenses/cpl1.0.php
Eclipse Public License 1.0 MED http://www.eclipse.org/legal/epl-v10.html
IBM Public License 1.0 MED http://opensource.org/licenses/IPL-1.0
Mozilla Public License 1.0 MED https://www.mozilla.org/MPL/1.0/
Mozilla Public License 1.1 MED http://www.mozilla.org/MPL/1.1/
Mozilla Public License 2.0 MED http://www.mozilla.org/MPL/2.0/
Netscape License 1.1 MED http://www.mozilla.org/MPL/NPL/1.1/
Creative Commons Attribution Non-Commercial 3.0 HIGH http://creativecommons.org/licenses/by-nc/3.0/legalcode
European Union Public License 1.1 HIGH http://opensource.org/licenses/EUPL-1.1
GNU Affero General Public License 3 (AGPL-3.0) HIGH http://www.gnu.org/licenses/agpl-3.0.html
GNU General Public License 2.0 HIGH http://www.gnu.org/licenses/gpl-2.0.html
GNU General Public License 3.0 HIGH https://www.gnu.org/copyleft/gpl.html
GNU Library or “Lesser” General Public License 2.1 HIGH https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
GNU Library or “Lesser” General Public License 3.0 HIGH http://www.gnu.org/copyleft/lesser.html
GNU General Public License 1.0 HIGH http://www.gnu.org/licenses/gpl-1.0.html
Creative Commons Licenses VAR* *Different versions of the Creative Commons Licenses have different risk factors. Consult your IP/legal team about specific versions.

Black Duck software composition analysis enables you to discover open source components embedded in your proprietary software and their corresponding open source licenses and vulnerabilities to help mitigate the legal and security risks. Black Duck applies state-of-the-art scanning mechanisms to find the most comprehensive list of open source software (both source and binary) used in your software. Furthermore, Black Duck provides capabilities to contextualize operational risks originating from various licenses and security vulnerabilities through a rule-based engine.

Learn more about Black Duck software composition analysis

This post is filed under Open Source Security, Software Composition Analysis.
 

More by this author

Be the first to know

Don’t miss the latest AppSec news and trends every Friday.