 |
 |
 |
Open Source License Obligation Analysis
Open source software provides significant technical and cost benefits for enterprises. However, just as with commercial software, open source software comes with licenses that enterprises need to comply with. Non-compliance can result in legal action, monetary damages, negative publicity, and compromised intellectual property.
OpenLogic's Open Source License Obligation Analysis service provides the license information enterprises need to understand open source license obligations and reduce potential risks. The License Obligation Analysis service identifies the licenses, obligations, and requirements associated with the open source packages used in the enterprise. At the conclusion of the analysis, OpenLogic provides comprehensive reports that give legal and compliance staff the information they need to make informed decisions about open source deployments and distribution.
What's Included
OpenLogic's Open Source License Obligation Analysis service provides detailed information about the risks and obligations associated with open source software packages. For every software distribution analyzed, OpenLogic prepares two reports.
The License Obligation Summary Report includes:
Summary of licenses and license references included with the open source package
List of bundled open source packages and the associated licenses
Summary of license obligations, including notice and attribution requirements and source code disclosure requirements based on package usage
License compliance checklist, which lists the steps you need to follow in order to ensure license compliance
The License Obligation Detail Report includes:
List of all files included with the package, the license associated with each file, and the means by which licenses were associated with files
Detailed list of obligations, attributions, and compliance actions required to use an open source package
Descriptions of all license obligations
License compatibility issues that may arise, depending on how the package is used
The complete text of every license found
Why License Compliance is Important
Although many companies are familiar with the "copyleft" aspects of licenses like the GPL, they are often unaware that most open source packages include multiple dependencies and bundled components that often have different licenses. An open source package with a "liberal" license may include bundled components licensed under the GPL or other more restrictive licenses. Open source licenses can also conflict with each other, creating legal issues that must be addressed. Without a comprehensive understanding of every license associated with the open source packages used in the enterprise, organizations may be at risk of violating the legal obligations of one or more licenses.
These risks exist even for companies that do not typically sell or distribute software. Incidental distribution — such as providing partners, customers, or even consultants with internal applications based on open source — may create obligations on licenses.
How It Works
The Open Source License Obligation Analysis service can be employed either to analyze open source packages before they are used or to audit open source components within internally-developed applications. Any open source package used in the enterprise can be submitted for analysis, regardless of whether or not it's included in the online library of over 330,000 open source software packages available via OpenLogic Exchange (OLEX).
Once your License Obligation Analysis request has been received, a representative from the OpenLogic services team interviews the appropriate members of your engineering team to gain an understanding of key issues for each open source package and version to be analyzed. This interview covers topics such as how packages are used, whether or not source code has been modified, the method of linking used in development, and whether and how code is distributed. Next, OpenLogic's services team uses several scanning options and tools to gather the necessary information and produce your License Obligation Analysis reports.
Remediation
The Open Source License Obligation Analysis service uncovers the available information about the files included with an open source package, but in some cases files lack complete information. If the license associated with a file is not clear, OpenLogic will make reasonable efforts to resolve the issue. These efforts may include some or all of the following:
Performing online research
Contacting open source communities or community members
Contacting copyright holders or owners
OpenLogic cannot guarantee that all open issues can be resolved within the required time frames. If after reasonable efforts OpenLogic cannot resolve open issues within required time frames, any remaining issues will be documented and included in the Open Source License Obligation Analysis reports.
Get a Quote
Learn more about how OpenLogic can help you understand open source lisense risks and obligations. Contact us today for a price quote on the License Obligation Analysis service.
Get a Quote
Get a Demo of Deep Discovery
Register for a demonstration of OSS Deep Discovery and see how fast and accurate source code scanning can be.