Open Source
License Compliance

Every open source dependency in your code base has a license with its own set of terms and conditions. How can you make sure all the open source licenses are compatible and compliant?

Which open source licenses are you using?

With more than 200 different open source licenses out there, each with its own terms and conditions, some copy-left (viral), some permissive, some permissive with strings, and others with no open source license at all (for which default copyright laws apply), it’s tough to keep track of and fulfill all the legal requirements.

Failing to accurately track licenses is risky business, and can result in some unfortunate surprises. At best it could be just the headache entails in replacing a component; at worst, it could mean jeopardizing exclusive ownership over your proprietary code.

Detect issues early in the process

Imagine it. You’re about to release your product and a pre-release code scan reveals you’re using a component with a problematic license. Removal of the component means going back to the drawing board on that segment of code, tearing and replacing, and redeveloping. Or worse, the issue is discovered post-release. And now your legal department is facing infringement claims.

Many software development teams attempt to track licenses manually. While they may succeed to track the components and their licenses, that still leaves the dependencies, many of which have completely different licenses.

With Mend.io, it’s all automatic. Whenever a new open source component is added to the build, Mend identifies its license and any licenses attached to any of its dependencies.

 

Related Resources

Blog:
Top Open Source Licenses Explained

White Paper:
The Complete Guide for Open Source Licenses

Webinar:
Strange Bedfellows: Software, Security and the Law

Set up automatic policies to control your usage

Mend.io also lets you create your company’s license policy by defining a white list of automatically approved licenses; a black list of automatically rejected licenses (choose to get an alert and/or fail the build when a component or dependency with one of these is added); and a list of licenses that need to be approved on a case-by-case basis. These initiate a pre-defined email approval request, with all approvals tracked, signed and archived within the Mend.io system for later access.

Once you have completed your one-time policy setup, you get alerted to any predefined policy pitfalls as you develop, so you can make informed decisions before you incorporate components into your build.

Mend.io also automates licensing applications and copyright creation (EULA), so complying with license terms is quick and easy.

Learn more about our automated policies here.