Managing license compliance with Black Duck SCA

Of the 1,500 codebases we scanned, 90% contained open source components with license conflicts, customized licenses, or no license at all. 65% of the codebases audited in 2020 contained open source software license conflicts, typically involving the GNU General Public License.

One might ponder why open source, which by its definition is free, involves licenses of any kind. It is important to understand that “free” in this context does not free you from intellectual property obligations. All three issues (license conflicts, customized licenses, and no licenses) require evaluation for potential intellectual property infringement or other possible legal concerns. This is particularly true in the context of a merger and acquisition due diligence process.

The specifics of license compliance

Open source license compliance poses immeasurably large risks for organizations that have no grasp on their level of license conflict exposure. Take, for example, the 2008 Cisco lawsuit: the Free Software Foundation (FSF) sued Cisco for selling products that contained open source, which violated the related GPL and LGPL license obligations. This lawsuit resulted in a settlement for FSF, but the damage was done; financial and reputational implications to Cisco were costly and long-lasting.

Key considerations

Know your risk. There are different levels of risk associated with license obligations. Knowing what licenses are in your open source and how risky they are is critically important. These are just a few of the licenses you should consider; read our blog for a more comprehensive dive on the top open source licenses.

• Permissive
  • MIT
  • Apache 2.0
     
• Medium risk
  • Mozilla
  • Eclipse Public
     
• High risk
  • GPL
  • EU public license

And just because there is no license associated with a component, doesn’t mean there is no risk. Components without licenses still carry copyright obligations, at least in the U.S.

What tools and practices you need to manage license compliance

In order to tackle open source license compliance, you need both tools and practices in place that:

• Create custom policy configuration that matches your organization’s risk tolerance
• Perform open source discovery
• Match open source to related licenses reliably
• Enforce license policy automatically
• Deliver simplified and complete license terms, so you can understand what you’re dealing with

The Black Duck approach to license compliance

Black Duck Software Composition Analysis (SCA) solution helps you manage security, quality and license compliance risks associated with the use of open source and third party code. Black Duck’s industry-leading capabilities exceed basic licensing concerns, delivering the most comprehensive and hands-off open source management offering.

Black Duck SCA differentiators

Customized rules. Black Duck allows you to define policy based on your organization’s risk tolerance and the software you are developing. Examples of customized policies you can create include:

• Preventing the use of GPL licenses for externally distributed projects
• Preventing the use of high-risk licenses for any projects
• Preventing the use of licenses with unfulfilled terms
• Preventing the use of licenses that are currently under review
   

Superior open source identification. Black Duck effortlessly identifies open source components in your code. Black Duck offers:

• Standard dependency analysis for package managers
  
• Snippet and signature scanning
  • Code and license lines that have been copied and pasted into your application still carries license obligations
  • Black Duck's scanning handles open source in languages that don't use package managers (C/C++)
     
• Binary analysis. Black Duck’s binary analysis capabilities help you:
  • Find open source and license obligations without the need for source code
  • Scan compiled code that still carries license obligation
  • Ensure license compliance no matter where you use it in the supply chain

Unmatched intelligence. Black Duck matches open source, or license lines, to known licenses using our proprietary Knowledge Base. As the industry’s most comprehensive database of open source project, license, and security information, our KB covers more than 3.8 million open source components from over 20,000 forges and repositories and tracks more than 3000 unique licenses.

Deep license analysis. Declared licenses can often be inaccurate or incomplete, so Black Duck does deep license analysis which inspects source and other files within packages looking for undeclared licenses. We can also scan custom code to ID license text and obligations, which could have potentially been added by developers or are indications that code was copied from open source.

Effortless enforcement and critical feedback.

• Black Duck provides full license text, which is important for fully evaluating, reviewing, and understanding licenses, the risk they pose to your organization, and what it takes to completely comply with them.
• Black Duck provides a list of categorized obligations in a manner that anyone can understand, regardless of their role. Obligations are categorized simply by what is required, forbidden, and permitted. For example, a license may require you to include copyright notices, forbid you from holding original owners liable for any damage, and permit you to modify the software.
• Black Duck helps with license obligation fulfillment, tracking license obligations per component to ensure required activities are completed.
• Black Duck integrates seamlessly across the entire SDLC to provide the right amount of information to the right person at the right time. Rapid Scan detects license policy violations before merging code into release branches, CI integrations enable you to easily identify issues from within the build environment, and continuous monitoring notifies you of any issues related to your bill of materials even after an application is shipped.
• Black Duck automatically generates notices files and copyright statements, which most licenses, regardless of permissiveness, require be included with product documentation.