Have you — or perhaps someone you know — ever wondered if the open source software licensing issues that may exist in your enterprise codebase really need to be taken all that seriously?
After all, the application developers in most organizations are actively taking advantage of open source software in their current development projects. In its recent analysis of the findings from more than 200 software composition analysis audits performed by a leading solution provider over the past two years, Aberdeen Strategy & Research found that more than half (median: 54.7%) of the typical enterprise codebase is comprised of open source software — and the year-over-year trend is sharply upward.
In the News: Google LLC v. Oracle America, Inc.
When you consider that tech titans Oracle and Google have been waging a legal battle for the last 10 years — over Google’s copying and use of approximately 11,500 lines (out of a total of about 2.86M) of Oracle’s Java SE code in the Google Android platform — it’s certainly clear that software licensing issues can be pretty serious.
In this particular case, the code in question involved application programming interfaces (APIs) and culminated in the recent 6-2 decision by the US Supreme Court — which ruled that Google’s copying and use of the Java API constitutes “fair use” under copyright law. Application developers everywhere breathed a collective sigh of relief, in their ongoing ability to use APIs to “put their accrued talents to work in a new and transformative program.”
Hidden Threats to Your Codebase
Setting APIs aside, does your organization understand the licensing-related risks from using open source software in your enterprise codebase? In its report on OPEN SOURCE SOFTWARE, WITH YOUR EYES WIDE OPEN: UNDERSTANDING YOUR LICENSING-RELATED RISKS, Aberdeen described several important insights about your licensing-related risks that might surprise you (and your friend):
- The total number of software licensing issues discovered by a software composition analysis audit is surprisingly high: For every ten thousand lines of code, performing an audit is likely to discover between 0.5 to 10 total issues, with a median of 1. Use your own codebase size, and do the math!
- The percentage of total software licensing issues that organizations already know about is shockingly low: Prior to an audit, 8 out of 9 (88.1%) organizations were not aware of any software licensing issues in their codebase. Of the 1 in 9 (11.9%) who had identified at least some of the existing issues, what they did know represented a median of just 9.5% of the total issues discovered. Said another way: Most organizations have virtually no visibility into the licensing-related risks from their use of open source software.
- Priority 1 (P1) issues represent a significant proportion of the total: Among all software licensing issues discovered by an audit, those deemed to be P1 issues represent between 0% to 90%, with a median of 12.5%. The P1 category refers to a critical licensing-related risk, which should be remediated faster and with greater urgency than lower-priority issues (P2, P3, P4).
How Many Open Source Licensing-Related Issues are in Your Enterprise Codebase?
Source: Empirical data adapted from Revenera audit services, 2019-2020
(N = 202 client software composition analyses); Aberdeen, February 2021
Copyleft Licenses and Associated Risk
Strong copyleft licenses provide you with the rights to use, modify, and distribute open source code for commercial purposes. In addition, they require the source code for derivative works to be distributed, and that any derivative works must also be licensed and distributed under strong copyleft license — along with your entire codebase.
For your organization’s application development projects, the so-called “viral” attribute is what makes the incorporation of open source code which is subject to a strong copyleft license such a significant risk: It creates the obligation to release your entire codebase — including your own proprietary code — as open source software under strong copyleft. The most prevalent examples of strong copyleft licenses discovered by the software composition audits used in Aberdeen’s analysis include CC BY-SA and GPL.
Strong copyleft licenses represented up to 35.6% of the items discovered in the software composition analysis audits, with a median of 12.4%. That is: For every thousand software licensing issues discovered by an audit, as many as 356 involve strong copyleft licenses, with a median of 124. Use your own codebase size, and extend your previous math!
Bottom Line: Balance Risk and Reward
To fully realize the rewards of using open source software, your organization must also understand and manage its associated risks. Understanding your organization’s risks from open source software is key to making better-informed business decisions for what to do about them — and investing in a software composition analysis of your own “crown jewels” codebases is a logical place to start.
