Open source licence non-compliance is a major risk for companies of all sizes.
This is according to the 2018 Open Source Security and Risk Analysis (OSSRA) report compiled and published recently by the Synopsys Centre for Open Source Research and Innovation
The OSSRA provides an in-depth look at the state of open source security, licence compliance and code-quality risk in commercial software. This year’s analysis examined the data of over 1 100 commercial codebases audited in 2017 by Black Duck’s On-Demand audit services department.
According to the report, open source components are governed by about 2 500 known open source licences, many with obligations and different levels of restrictions. However, many users of open source software simply ignore these, often in the mistaken belief that open source software is “free”, and free means being able to do with the software as one likes.
It looks as if all that is about to change with interesting developments in the enforcement of the GNU General Public Licence (GPL) in the United States in 2017 providing a glimpse of what is to come.
The GPL is the most commonly used free software licence. It allows software to be freely used, modified and redistributed by anyone.
However in early 2017, a US district court found that a breach of the GPL licence may be considered as a breach of contract. The case before the court involved Artifex Software, the developer and licensor of Ghostscript, one of the most widely used PDF interpreters, and Hancom, which owns and develops a word processing software application, Hangul. Hancom had incorporated Ghostscript into Hangul some years before.
While the case was finally settled out of court, the court ruled that a plaintiff such as Artifex, which has dual licensing of software under both commercial and open source terms (a common business model), may seek monetary relief for breach of the open source licence based on the value of the commercial licence fees it would have received.
Although the court did not definitively rule whether this was indeed a breach of contract, it did not rule to the contrary either. This indicates that in the US at least, a precedent has been set for treating open source licences like contracts.
The court also looked at another complex issue in open source law: whether an open source licensor can obtain an order requiring the licensee to distribute the source code to a derivative work. Artifex had asked the court to make such a ruling and although the court didn’t do so, it also did not refuse to do so.
According to the OSSRA report, 74% of the codebases audited in 2017 contained components with licence conflicts, the most common of which were GPL licence violations. In fact, 44% of all applications examined had GPL conflicts.
“Identifying exactly what open source code is in your codebase is crucial for properly managing its use and reuse, as well as key to ensuring compliance with software licences, an essential step in reducing business risk,” the report stated. “Failure to comply with open source licences can put businesses at significant risk of litigation and compromise of intellectual property.”
Although the litigation, to date, has been confined to the United States, the report concluded that unless a licence specifies otherwise, nobody can legally use, copy, distribute, or modify creative work, including open source code, without being at risk of litigation