Tips and Tools for Open Source Compliance
Table of Contents
Open source software has become the backbone of modern software development, offering a treasure trove of free,reliable components. However, this convenience comes with a critical challenge: license compliance. As open source components proliferate, ensuring adherence to complex legal agreements becomes increasingly complex.
To navigate this complex landscape, organizations must establish a robust framework. This includes crafting a clear open source policy, conducting a thorough inventory of components, developing a plan for non-compliant code, and creating comprehensive attribution documentation. While daunting, this foundation is essential for long-term success.
Let’s dive deeper into each of these steps and explore tools that can streamline the process.
This article is part of a series of articles about Open Source License Compliance
Open source compliance policy
Navigating the complex world of open source licenses can seem overwhelming. Fortunately, the majority of open source projects are covered by just a handful of licenses.
Your open source compliance policy is your roadmap. It outlines which licenses are acceptable, requires an approval process for others, and establishes how to handle new components. Involve your legal and engineering teams, and consider including security for added protection.
Focus on creating clear allow and deny lists of licenses. While there are over 200 open source licenses, the Open Source Initiative has approved just over 70. Remember, not all copyleft licenses are problematic, and even permissive licenses can have hidden restrictions.
To deepen your understanding of open source licensing, consider taking The Linux Foundation’s free online course.
By following these guidelines, you can establish a solid foundation for open source compliance within your organization.
To gain more understanding on different open source licenses and requirements for adding copyrights and notices, we highly recommend you check out The Linux Foundation’s free online course: Open Source Licensing Basics for Software Developers.
Building Your Open Source Inventory
Once you have a solid open source compliance policy in place, the next step is to identify the open source components within your software. Manual tracking might be feasible for small teams, but for larger organizations, automated solutions are often more efficient.
Your goal is a comprehensive inventory of all components and their associated licenses, including dependencies. These reports are crucial for maintaining compliance.
By creating a detailed inventory, you’ll gain valuable insights into your software’s open source footprint and potential risks.
Addressing Non-Compliant Components
After generating your open source inventory, identify components that violate your policy or lack a license altogether.These require immediate attention.
Develop a comprehensive plan to replace non-compliant components. Prioritize based on risk and impact.
While the complexity of this task varies, it’s essential for maintaining compliance and protecting your organization.
By proactively addressing these issues, you can mitigate legal risks and ensure your software’s long-term viability.
Attribution document
You’re almost there but don’t put your feet up just yet. Once you have taken inventory of all open source components and licenses in your software and processed everything based on your open source license compliance policy, you are likely to need to prepare an attribution document. Most open source licenses contain some kind of an attribution clause. Compliance with these clauses generally takes the form of an attribution document which includes a list of copyrights, notices, and licenses.
Now that you have a policy, an inventory, an attribution document, and your current codebase is compliant with all open source licenses involved, you need an approach for applying your policy to new components added to your software and how to manage your approval process. Below we’ve created a list of open source compliance tools that can help you and your team based on your preferred tracking method.
List of open source compliance tools to help you manage your licenses
#1 The Basic – Spreadsheets & Emails
The most basic approach is to manually track your open source software components with spreadsheets or ticketing software. The attractiveness of this is that it takes practically no work to set up and requires no overhead or customizing of additional tools.
If you decide to use this method you will need to be diligent and have policies in place for how license information about new open source code will be added to your inventory list as your project grows and who is responsible for making sure that information is added.
If you are using a very small number of open source libraries then it’s probably sufficient for tracking your usage, but it won’t scale easily as your software and the open source code within it grows. Although still a popular approach, due to increased awareness of scaleable, affordable automated solutions, like Mend.io’s, many companies are moving away from this method.
#2 FOSSology
A step above a spreadsheet, several open source tools exist to help to automate a part of the process of manually tracking and the best known and most advanced is FOSSology, a project started by Hewlett-Packard and now hosted by The Linux Foundation.
FOSSology scans the headers of files in your project and detects text from open source licenses. This offers significant automation over basic manual tracking and can find open source components that were not tracked by developers. The main drawback to using FOSSology is that it is likely to suffer from many false negatives – if a file doesn’t have a license referenced in the header file, that license or, just as importantly, lack of license, will not be detected.
#3 Code Scanners
The bulk of commercial open source management tools, including Black Duck Software, Palamida, OpenLogic, and Synopsis, fall into the category of periodical code scanners. These tools scan your entire codebase looking for snippets of open source code and determine what licenses they fall under. Given there are billions of open source components out there, the odds that two unrelated snippets of code may incidentally match are high, causing a large volume of false positives that you will need to sort through when using these types of tools. Another downside is that these code scanners are not agile. You will only know about your open source license vulnerabilities when you perform a scan of your entire codebase. Scans can take a significant amount of time and will need to be repeated as you add more open source code. Even those companies still using waterfall methods can find these scanners causing bottlenecks in their development pipeline.
#4 Continuous Integration Scanners
Continuous integration scanners offer an automated solution to both tracking and managing the open source components in your software. These tools provide accurate and detailed information and remove the need for developers to manually take account of each newly added component. This is the approach provided by Mend.io. Our tool additionally automates tracking and managing security vulnerabilities, software bugs, versions, and more, but for now, let’s stay within the scope of this blog and focus on licenses.
As the name suggests, this type of scanner fits right into your continuous integration or build tools (such as Jenkins, Maven, or Ant) and automatically detects all open source components in your build every time you run them – likely multiple times per day. It works by calculating a unique identifier for each library you use and then cross references with its database to detect the open source libraries. With this approach you get constant feedback about your open source libraries and their licenses, without the false positives, giving you the information you need to react in an immediate and agile way when there is conflict with your open source policy. You can even set an automated policy that will approve, reject, or send a request for approval based on your rules – even breaking the build if a blacklist license is used.
This technology automates the entire process – from automatically enforcing your policy, to managing the approval process, all the way up to automatically creating the attribution document. Once you’ve set up a continuous integration scanner with your policy, much of the rest of your job is done for you, increasing your accuracy and releasing your developers from time consuming bureaucracy.
So which approach is right for you?
Different organizations have different needs and there are tools out there for everyone. To determine what’s right for you, you will need to take a good look at the size of your project, your development methodology, the liabilities for missed compliance, and the cost of swapping out an open source component if its license doesn’t match your open source policy.
For very small projects manual tracking can be sufficient. More complex projects, particularly those built inside of an agile organization and released on a frequent schedule, benefit from continuous detection of open source components.
The growing use of open source code in enterprise software shows that the benefits of using open source code clearly outweighs the cost of compliance. With the continuing development of modern tools for open source license management, it’s easier than ever to integrate smart and streamlined development processes and stay compliant. tools for open source license management, it’s easier than ever to integrate smart and streamlined development processes and stay compliant.
