Companies Miss Complying with Open Source Licenses Due to Indirect Dependencies

New WhiteSource research shows that 91% of software projects contain indirect open source dependencies. The average project relies on no less than 64 different libraries with 8 different licenses.

WhiteSource, the leading provider of Open Source Lifecycle Management solutions, released today a research that quantifies the degree to which open source components depend on other open source libraries, and especially where multiple different licenses are involved. According to the research in 91% of software projects, some of the open source components imported by developers contained additional dependencies that were brought in by those components. More so, in 65% of the cases, open source components bring with them additional dependencies that are subject to a different license.

To be productive, most software developers often rely on open source components, and most are actively tracking the licenses of these components to control potential risks and to ensure compliance with their requirements. However, WhiteSource survey show that many only track and account for the components that they are using directly, and are missing the libraries that these components depend on. Since the dependencies often use different licenses, they are often overlooking substantial risks and compliance requirements.

Most software developing companies rely on developers to receive approval for, or at least report the open source components they use. R&D managers, build/release managers, and legal counsels then rely on these reports to ensure compliance with license requirements, and to govern the related risks to intellectual property and business practices. However, lacking proper tools that detail all dependencies, developers are almost surely missing the large chain of open source libraries that are automatically imported with the open source components they use. As a result, decision makers are often not provided with full information, compliance is lacking, and risks are not properly accounted for and managed.

According to a recent WhiteSource research, based on 473 real software projects:

  • The average software project contains 64 open source dependencies, and an average of 8 different open source licenses.
  • 37% of all open source components depend on other open source libraries. On average, each of these has 9 dependencies and 3 different open source licenses.
  • 91% of open source projects contain indirect dependencies
  • 64% of open source projects were subject to indirect licenses, due to dependencies.
  • 65% of open source components were subject to additional licenses, due to dependencies.
  • The most complex software project had 1917 open source dependencies.
  • Most projects were subject to multiple licenses, with the maximum recorded at 26 licenses.
  • 27% of all projects were subject to more than 10 different licenses
  • 58% of all projects were subject to more than 5 different licenses.

An exacerbating factor is that most companies rely on manual or semi-automate processes to research and report open source components and licenses, and often use static documents to track these. As a result, not only is it difficult and tediously laborious to identify dependencies and their licenses, it is also impossible to track changes over time, e.g., an open source project that adds features and uses new dependencies to do so. It doesn’t help that open source tracking is not a task that developers are fond of, to say the least.

“Correctly tracking and updating the open source inventory down to the last dependency is one of the most tedious and least favorite tasks for developers. Due to its complexity, it is almost never done properly, and most organizations rely on incomplete, stale, and often incorrect information,” says WhiteSource CEO Rami Sass. “WhiteSource automatically identifies any new open source component that is added by a developer, and then immediately presents the entire dependency tree, down to the last library and license. We keep the information current, so we can notify customers of changes to existing components. As such, WhiteSource enables customers to be on top of their entire open source inventory and licenses, all the time, while also relieving developers from the need to research and document all this information. New customers can have a full mapping of the open source inventory, down to the hundreds of dependencies and licenses, typically within 10-15 minutes. We currently provide automatic plug-ins for Apache Maven and Ant, Jenkins, JetBrains TeamCity, Red Hat OpenShift, JFrog Artifactory and Atlassian Bamboo.”

WhiteSource provides a comprehensive, yet simple to use, and very affordable solution for companies that need to manage their open source assets and ensure license compliance and control.

  • New open source components are automatically detected, in real time when they are added by developers, and documented down to the last dependency and license
  • Open source libraries and licenses are analyzed for their respective risks and compliance requirements
  • Open source inventory is managed, automatically updated, and tracked for changes, including approval workflow, documentation, and reporting
  • Proactive alerts tell customers of updates that fix security holes and other major bugs

WhiteSource is an easy to use cloud-based SaaS service that provides decision makers with all the information they need to understand the legal, business, and technical risks of specific open source libraries, as well as what needs to be done to comply with their licensing requirements.

WhiteSource offers a free service that includes all basic open source license management and control functions, as well as Premium and Enterprise subscriptions.