So you think you don’t need an open source software (OSS) audit? Well, read this article before you answer this question.
Last year, here at Rogue Wave Software, the audit team scanned millions of files searching for open source packages, open source licenses, commercial and legacy code usage. On average, we found 63 OSS packages and 16 OSS licenses per audit, with 45 percent of all scanned files containing OSS.
But that’s not all.
We also found approximately 60 percent of audits contained strong copyleft licenses. Some of the most common copyleft licenses are from the GNU license family; for example GNU General Public Licenses (various versions), Lesser/Library General Public Licenses (various versions), etc. These licenses are called copyleft licenses because of their viral effect on any software they get combined with. These licenses require organizations to provide source for modification or derivative work. As a result, 82 percent of the organizations which had copyleft licenses had to provide access to the source code if it is distributed.
We also found that 20 percent of all the audits we completed contained “free” licenses, which restricts use for commercial purposes, i.e. non-commercial use only. The most common example of this kind of open source software is HighchartJS. If you pay close attention to the license terms and conditions for using HighchartJS, it specifically says that it is free to use, for non-commercial applications or education purposes (like universities and schools) but if you use it in commercial applications then you’re required to purchase the commercial version of HighchartJS. These findings were quite surprising to some of our clients and they took steps to mitigate their risks.
But above all, here is an alarming fact that no one expected: In almost all the audits we completed last year we found that 98 percent of them had open source software in them. This alone would be a good reason for any company involved in developing, acquiring, or outsourcing of software to have OSS audits done.
Now, one might think that if they have controlled software development procedures in place then they can stay away from OSS and/or non-compliance of OSS licenses. Well, to some extent this is true and you can put strict monitoring system in place for OSS. But keep in mind, in most cases even the best monitoring systems have proven to be ineffective as there are various ways open source can enter in your code base.
To understand this point better, try answering the following questions in terms of how you think you develop software in your company:
• Are you keeping track of every piece of OSS getting added to your code?
• Are you getting outsourced code?
• Are you using the legacy code?
• Are you using commercially licensed code?
• Are you developing all your source code in your company without a proper OSS governance system?
If your answer to any of these questions is YES, then you need to get your code audited.
The reason is that any of these methods of development can introduce OSS in your code. Let’s go through each of these possibilities. If you are not tracking your incoming code for OSS, along with any outsourced code then you have no idea what is getting introduced into your code. If you are using legacy code which did not get vetted from an open source perspective, then you may not know if you have any licenses embedded in the code which can put your entire source code at risk of distribution. Commercial software poses the same kind of risk as you are paying for a license for commercial software but you still must comply with any open source components within this software. Proper governance of open source software is very important; without it you are putting your entire source code and your company’s reputation at risk, which can have long term adverse effects.
So you still think you don’t need an OSS audit? Think again!
Register for the webinar “Diligence, compliance and future trends in open source software” on May 24 to learn the basic OSS risks and compliance issues that’ll help your team stay protected.
Talk to our team about a Rogue Wave Open Source Audit.