What are Open Source Software License Risks?
Explore the risks of using open source licenses and what tools to use to mitigate risks for safer, more legally compliant applications.
When someone uses an open source software component or library, they can automatically enter into an open source license with the code’s author. Although open source may seem like a free-for-use case, and it is in most cases, this license is a legally binding contract that declares how and where you can use the code commercially. In most cases, an open source license permits you to freely modify a work and use it in new ways, like integrating it into larger projects or developing the original work into a better version.
Open source licensing is gaining popularity because it promotes a free exchange of ideas within a community to drive creative, scientific, and technological advancement. Many organizations, regardless of size and industry, use open source licenses, however this can potentially land companies in legal trouble if they inadvertently use code in the wrong way.
Let’s explore some of the risks of using open source licenses and discuss tools to help mitigate this risk for safer, more legally compliant applications.
Open Source Licences Vary
Open source components usually contain a chain of dependencies. These components and their dependencies have varying licenses. You may be surprised to learn that open source licenses come in more than 200 varieties, with unique (and sometimes confusing) terms and conditions which, let’s face it, we don’t even read most of the time.
The license transforms ordinary code into an actual open source component. Without it, the software component is unusable by others, even if it appears publicly on GitHub.
We can broadly divide open source licenses into two main categories: copyleft and permissive. When a developer releases an open source software component under the copyleft license, it implies that anyone is free to use this component as long as they also make their code open for use by others. A permissive open source license places minimal restrictions on library use. It guarantees freedom to use, modify, and redistribute a library, including for proprietary derivative works. Developers refer to these licenses as “anything goes.”
The most common open source licenses include MIT License, GNU General Public License (GPL), Apache License, Eclipse Public License (EPL), Microsoft Public License (MS-PL), Berkeley Software Distribution (BSD), and Common Development and Distribution License (CDDL). Some projects have no license, implying that default copyright laws apply to them.
The Problem with Manual Detection
With the myriad of possible licenses in open source projects, it’s nearly impossible for developers or security teams to track them all. This is especially true when we’re under pressure to churn out new features at a rapid rate. As such, we can’t rule out the possibility of accidentally importing a restrictive-licensed library into an enterprise application’s codebase. If teams don’t detect and mitigate this early enough, it can lead to serious legal issues, or other risks, such as incurring substantial financial losses, loss of productive time, and even loss of clients.
Most developers would rather channel their energy toward building helpful new software than ensuring license compliance. Therefore, the license compliance tracking, monitoring, and remediation will often fall on SecOps teams. In that case, we must find a cost-effective way of dealing with the challenge and help SecOps teams manage the risk while you build and ship secure applications. This is where Trend Micro Cloud One™ – Open Source Security by Snyk comes in.
Reduce License Risk with Trend Micro
Trend Micro Cloud One™ has partnered with Snyk to help security teams gain early visibility and tracking insight into open source security, library, and license risks, allowing developers to securely use open source code with peace of mind.
It does this by automatically finding, prioritizing, and reporting vulnerabilities and license risks in open source dependencies that applications use. Since it’s part of the Trend Micro Cloud One security services platform, you can integrate this solution into code repositories like GitHub and Bitbucket and your continuous integration and continuous deployment (CI/CD) pipeline.
When you integrate the Snyk tool into your code repository, it enables you to select the projects you want it to manage. These selected projects appear on your Cloud One – Open Source Security dashboard. You can also configure the dashboard only to show vulnerable projects.
The Trend Micro dashboard summarizes your projects’ vulnerabilities, categorizing them by their severity: critical, high, medium, and low severity. These categories are also color-coded for easy identification. It also shows license issues on the same dashboard for added convienience. This categorization helps your security team easily spot problems and tackle them according to priority, thereby speeding mitigation.
Trend Micro Cloud One – Open Source Security by Snyk can also monitor private and public repositories. It provides insight into your open source projects and proprietary software that may contain open source libraries.
The image below shows how the Trend Micro Cloud One – Open Source Security by Snyk dashboard looks:
Under the Reports tab, Snyk filters out all the licenses your projects use and flags where you may need to focus. It also gives insight into the dependencies of components, as well as the projects that use them. This helps the security teams spot libraries with license risks that may go against company policy and know what actions to take to mitigate them.
The example image below shows an overview of the licenses from the different projects within selected GitHub repositories:
More than just merely showing the different licenses in use in your repositories, Trend Micro Cloud One – Open Source Security by Snyk provides an individual license’s details when you simply click a button. Also, when you click on any license’s dependencies, the dashboard lists all sub-dependencies attached to it. The image below shows an example:
Next Steps
Although open source libraries offer many benefits, you must weigh their benefits against potential licensing risks. The wide variety of licenses, and the dependencies within dependencies, make it nearly impossible for security teams to manage all the libraries and their dependencies across all the different projects they oversee.
Trend Micro Cloud One – Open Source Security by Snyk offers a reliable and integratable solution to open source license risks. This security tool also helps you trace vulnerabilities through hidden dependencies, categorizes their risk level, and suggests solutions. Your developers and security teams can quickly mitigate any licensing risks to get your new applications and features out to your end-users.
To experience this comprehensive open source license detection for yourself, start your 30-day free trial of Trend Micro Cloud One – Open Source Security by Snyk.
Learn about open source library risk in our recently published article: Manage Open Source Software Library Risks
