3 and a Half Reasons You Really Need to Scan for Open Source Software

  

 Email Article  

Tweet  

  

At a basic level, OSS scanners, such as OpenLogic's OSS Deep Discovery, analyze software development projects looking for components that come from OSS projects. They tie their results to in-depth information about the open source projects, licensing information and even project support. If you're a developer or a project manager here are some reasons you might want to run one on your project. 

Known knows and unknown unknowns

The widespread acceptance of open source projects such as the Apache HTTP Server, the MySQL database management system or even Mozilla Firefox and Google Chrome has raised awareness of open source software and its use in the enterprise. Although there aren't hard and fast numbers for how many commercial projects have open source components, an OpenLogic survey looking at open source adoption in the enterprise found that 73% of respondents either preferred OSS solutions or evaluated them on the same footing as commercial alternatives.

Factor in the long history of code sharing by software developers, dating back to the early days of UNIX, BBSs and printed code samples, as well as the ready accessibility of OSS code on the Internet, and even those enterprises that mandate commercial-only solutions may find that their software is built with some OSS.

Undiscovered OSS in a project can come as a shock to the project manager or even the current development team and can have significant legal and monetary consequences if it's found after a product has shipped.

On the other hand, OSS components that are known and understood can be a great benefit to a project, providing robust solutions in a variety of areas while cutting project costs and allowing the development team to focus on its core business.

Ignorance is not bliss

One of the biggest concerns in enterprise-level software development is the licensing and legal issues that come along for the ride when using any third-party software. This is one of the principal concerns addressed by OSS scanning. For more information on OSS licenses, check out OpenLogic's white paper, Understanding The Three Most Common Open Source Licenses.

Many OSS projects have enterprise-friendly licensing which allows companies to use their code, but even in some of the most liberal licenses, there can be obligations requiring the user or team using the OSS component to acknowledge the project or its copyright holders. While this is can be a simple requirement to meet, by adding some information to an "About" screen, for example, that can only be done if the project's manager knows that their project contains the licensed code.

Some licenses have more draconian obligations which may impact how a project using a licensed component can be licensed or imposing other requirements. A well-known example of this is the GNU General Public License (aka the GPL, learn more in our Guide to GPL Compliance). When software licensed under versions of the GPL is used in a project, the license can, under some circumstances, mandate that all of the code for that project be made publicly accessible or be licensed under a GPL license as well. Obviously, for a company building new intellectual properties, this would make it difficult to keep trade secrets, well, secret.

Short version: knowing which OSS licenses apply to your project and how they might affect the project is essential. A good OSS scan gets you there.

Support and updates are nice

Scary licensing issues aside, one of the best reasons for tracking down any OSS in your software is to find the dedicated community that's grown up around the OSS projects. Major OSS projects are generally backed by a group of smart, highly dedicated individuals who understand their project inside and out and are willing to share their knowledge with you freely.

Additionally, active OSS projects fix bugs and release updates regularly and efficiently. If your scan finds a OSS component that's giving you problems, chances are high that the OSS project already has a fix in place and available.

In those cases where an OSS project has a smaller team or more limited resources, commercial companies, such as OpenLogic, have stepped in to offer support, indeminifcation and even custom updates and patches.

Calm and relaxation

Finally, whether the OSS scan reveals components you didn't know about, licenses that your project can work with or problems that you need to fix, having clarity about the OSS in your project can remove at least one big source of stress in the already stressful job of putting software together. Not a day at the spa, but maybe it can help you breath a little easier...