Nearly 80% of code in modern applications originates from open source projects and is protected under various open source licenses. Failure to completely fulfill the obligations of every license puts your own IP at risk.
Risk varies across license types
Permissive
Permissive licenses, considered low risk, contain minimal requirements or restrictions regarding how software can be modified or redistributed. Examples include the MIT license and Apache license.
Semipermissive
Often referred to as limited, weak copyleft, or copyleft, these licenses are considered medium risk because if you modify the code, you must release the modifications, but not your whole application, under the same license. Examples include Mozilla and the Eclipse public licenses.
Restrictive
Restrictive licenses carry a great deal of legal risk. If you use a component with one of these, you might be legally obligated to publicly release your entire application code. Examples are the GNU GPL and GNU LGPL.
| Allowed | Required | Forbidden | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Commercial use | Distribute | Modify | Patent use | Private use | Disclose source | License & copyright notice | Same license | State changes | Liability | Warranty | Trademark use | |
| GNU AGPLv3 | ||||||||||||
| GNU GPLv3 | ||||||||||||
| GNU LGPLv3 | ||||||||||||
| Mozilla Public License 2.0 | ||||||||||||
| Apache License 2.0 | ||||||||||||
| MIT License | ||||||||||||
| Boost Software License 1.0 | ||||||||||||
| The Unlicense | ||||||||||||
AI code generation and license risk
AI coding assistants like GitHub Copilot and ChatGPT are trained on open source projects. These tools can provide source code without including license context, leaving you open to IP infringement risk.
Black Duck® software composition analysis (SCA) snippet analysis scans source code written by developers or AI coding tools to identify partial bits of open source code, match it back to the project it originated from, and provide license information and compliance guidance.
Automate open source license compliance with Black Duck SCA
Identify open source licenses
For every open source dependency identified, Black Duck SCA surfaces the exact licenses being used. This includes explicitly declared licenses, sublicenses, and embedded licenses.
Get simplified insights
Requirements and restrictions associated with each license are extracted and provided in a simplified view, along with complete license texts and copyright information.
Get alerts on policy violations and license conflicts
Alerts are issued when license policies are violated, or when conflicts exist between the project license and dependency licenses.
Create custom policy rules
Custom policy management defines which licenses are allowed and which workflows should be triggered should a violation occur.
Automate notices file generation
Notices files, which are required of almost every open source license, are automatically or manually generated for projects and consumable via user interfaces and APIs.
On-demand expertise for open source license compliance
Get a comprehensive view into open source license obligations with an open source and third-party software audit. Black Duck® Audits are the industry’s most trusted open source due diligence solution, combining leading SCA capabilities with expert open source auditors to provide a complete and accurate Software Bill of Materials to help you make informed decisions with confidence.
Learn more about open source risk management
Know what's in your code
The OSSRA report highlights the current state of open source security, compliance, and code quality risks in commercial software.
Get insights from the OSSRA
Navigating the pitfalls of open source in SaaS apps
Get key considerations and solutions for managing open source
Software Supply Chain Security: Navigating NIST, CRA, and FDA Regulations
Watch the webinar
Mastering open source license compliance and dependencies
Explore tools for assessing software risk and ensuring software compliance