Nearly 80% of code in modern applications originates from open source projects and is protected under various open source licenses. Failure to completely fulfill the obligations of every license puts your own IP at risk.
Permissive
Permissive licenses, considered low risk, contain minimal requirements or restrictions regarding how software can be modified or redistributed. Examples include the MIT license and Apache license.
Semipermissive
Often referred to as limited, weak copyleft, or copyleft, these licenses are considered medium risk because if you modify the code, you must release the modifications, but not your whole application, under the same license. Examples include Mozilla and the Eclipse public licenses.
Restrictive
Restrictive licenses carry a great deal of legal risk. If you use a component with one of these, you might be legally obligated to publicly release your entire application code. Examples are the GNU GPL and GNU LGPL.
Allowed | Required | Forbidden | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Commercial use | Distribute | Modify | Patent use | Private use | Disclose source | License & copyright notice | Same license | State changes | Liability | Warranty | Trademark use | |
GNU AGPLv3 | ||||||||||||
GNU GPLv3 | ||||||||||||
GNU LGPLv3 | ||||||||||||
Mozilla Public License 2.0 | ||||||||||||
Apache License 2.0 | ||||||||||||
MIT License | ||||||||||||
Boost Software License 1.0 | ||||||||||||
The Unlicense |
AI coding assistants like GitHub Copilot and ChatGPT are trained on open source projects. These tools can provide source code without including license context, leaving you open to IP infringement risk.
Synopsys software composition analysis (SCA) snippet analysis scans source code written by developers or AI coding tools to identify partial bits of open source code, match it back to the project it originated from, and provide license information and compliance guidance.
For every open source dependency identified, Synopsys SCA surfaces the exact licenses being used. This includes explicitly declared licenses, sublicenses, and embedded licenses.
Requirements and restrictions associated with each license are extracted and provided in a simplified view, along with complete license texts and copyright information.
Alerts are issued when license policies are violated, or when conflicts exist between the project license and dependency licenses.
Custom policy management defines which licenses are allowed and which workflows should be triggered should a violation occur.
Notices files, which are required of almost every open source license, are automatically or manually generated for projects and consumable via user interfaces and APIs.
Get a comprehensive view into open source license obligations with an open source and third-party software audit. Black Duck® audits are the industry’s most trusted open source due diligence solution, combining leading SCA capabilities with expert open source auditors to provide a complete and accurate Software Bill of Materials to help you make informed decisions with confidence.
The OSSRA report highlights the current state of open source security, compliance, and code quality risks in commercial software.
Get insights from the OSSRAGet key considerations and solutions for managing open source
Learn how Nuance met strict software development requirements with Synopsys.
Read the case studyExplore tools for assessing software risk and ensuring software compliance