Understanding Open-Source License Risk

When someone uses an open-source software component, they automatically enter into an open-source license with the code’s author. Although open-source may seem like a free-for-all, this license is a legally binding contract that declares how and where you can use the code commercially. Usually, an open-source license permits you to freely modify a work and use it in new ways, like integrating it into larger projects or developing the original work into a better version.

Open-source licensing is gaining popularity because it promotes a free exchange of ideas within a community to drive creative, scientific, and technological advancement. Many industries use open-source licenses, such as electronics, robotics, and biotechnology. They’re most commonly used in the software space, though. As much as 80 percent of the code in the average software application comprises open-source components.

As much as open-source code helps companies innovate faster, reducing the time developers spend on basic software components, it undoubtedly introduces risk. Because open-source licenses aren’t clear-cut, utilizing open-course code can potentially land companies in legal trouble if they inadvertently use code in the wrong way.

Let’s explore some of the risks of using open-source licenses and discuss tools to help mitigate this risk for safer, more legally compliant applications.

Open-Source Licences Vary

Open-source components usually contain a chain of dependencies. These components and their dependencies have varying licenses. You may be surprised to learn that open-source licenses come in more than 200 varieties, with unique (and sometimes confusing) terms and conditions which, let’s face it, we don’t even read most of the time.

The license transforms ordinary code into an actual open-source component. Without it, the software component is unusable by others, even if it appears publicly on GitHub.

We can broadly divide open-source licenses into two main categories: copyleft and permissive. When a developer releases an open-source software component under the copyleft license, it implies that anyone is free to use this component as long as they also make their code open for use by others. A permissive open-source license places minimal restrictions on library use. It guarantees freedom to use, modify, and redistribute a library, including for proprietary derivative works. Developers refer to these licenses as “anything goes.”

The most common open-source licenses include MIT License, GNU General Public License (GPL), Apache License, Eclipse Public License (EPL), Microsoft Public License (MS-PL), Berkeley Software Distribution (BSD), and Common Development and Distribution License (CDDL). Some projects have no license, implying that default copyright laws apply to them.

The Problem with Manual Detection

With the myriad of possible licenses in open-source projects, it’s nearly impossible for developers or security teams to track them all. This is especially true when we’re under pressure to churn out new features at a rapid rate. As such, we can’t rule out the possibility of accidentally importing a viral or restrictive-licensed library into their enterprise application’s codebase. If teams don’t detect and mitigate this early enough, it can lead to serious legal issues, or other risks, such as incurring substantial financial losses, loss of productive time, and even loss of clients.

Imagine the difficulty of trying to manage licenses for open-source libraries and all their dependencies manually. It would be tedious and unnecessarily time-consuming. Even after all your hard work, you would inevitably still miss a couple or misunderstand the license agreement.

On the other hand, imagine the possible issues that can arise if you decide to neglect license compliance altogether. According to Snyk’s State of Open Source Security Report 2020, as many as 75 percent of codebases security vendors audited had security vulnerabilities or license risks.

Choosing between using open-source components with their potential risks and avoiding them altogether (implying more work) is like standing between the devil and the deep blue sea. Most developers would rather channel their energy toward building helpful new software than ensuring license compliance. In that case, we must find a cost-effective way of dealing with the challenge. This is where Trend Micro Cloud One – Open Source Security comes in.

Reduce License Risk with Trend Micro

Trend Micro Cloud One has partnered with Snyk to develop the first-ever purpose-built service for SecOps teams. With Trend Micro Cloud One – Open Source Security by Snyk, security teams gain early visibility and tracking insight into open-source security and license risks with this tool.

It does this by automatically finding, prioritizing, and reporting vulnerabilities and license risks in open-source dependencies that applications use. Since it’s part of the Trend Micro Cloud One Security platform, you can integrate this solution into code repositories like GitHub and Bitbucket and your continuous integration and continuous deployment (CI/CD) pipeline. This integration enables security teams to scan open-source projects on the go and identify, manage, and quickly resolve open-source security and license risks.

Cloud One – Open Source Security can monitor private and public repositories. It provides insight into your open-source projects and proprietary software that may contain open-source libraries.

As the figure above shows, you can configure Cloud One – Open Source Security to automatically test for new vulnerabilities in the source code each time your team creates a pull request or make pull requests to fix vulnerabilities/upgrade outdated dependencies. This automation ensures that no stone is left unturned, and prevents security and development teams from inadvertently overlooking critical issues.

When you integrate the Snyk tool into your code repository, it enables you to select the projects you want it to manage. These selected projects appear on your Cloud One – Open Source Security dashboard. You can configure the dashboard only to show vulnerable projects.

The Trend Micro dashboard summarizes your projects’ vulnerabilities, categorizing them by their severity: critical, high, medium, and low severity. These categories are also color-coded for easy identification. It also shows license issues on the same dashboard. This categorization helps your security team easily spot problems and tackle them according to priority, thereby speeding mitigation.

The image below shows how the Cloud One – Open Source Security dashboard looks:

Under the Reports tab, Snyk filters out all the licenses your projects use and flags where you may need to focus. It also gives insight into the dependencies of components, as well as the projects that use them. This helps the security teams spot libraries with license risks and know what actions to take to mitigate them.

The image below shows an overview of the licenses from the different projects within selected GitHub repositories:

More than just merely showing the different licenses in use in your repositories, Cloud One – Open Source Security provides an individual license’s details when you simply click a button. Also, when you click on any license’s dependencies, the dashboard lists all sub-dependencies attached to it. The image below shows an example:

The Snyk Vulnerability Database

Among other reasons for selecting an open-source security scanning tool, perhaps one of the most important is its vulnerability database. The vulnerability database helps flag a library or license as vulnerable or not. So, a reliable vulnerability database must continually update with the latest threats and minimize false positives.

The Snyk Vulnerability Database (DB) powers Cloud One – Open Source Security to provide comprehensive and actionable open-source vulnerability intelligence. Experts, researchers, and analysts manage the database. This ensures high accuracy and low false positives.

Snyk often identifies and exposes vulnerabilities long before they appear in public databases. The database includes common vulnerabilities and exposures (CVEs) plus many non-CVE vulnerabilities it derives from additional sources.

The team responsible for managing the Snyk Vulnerability DB provides data for each vulnerability and hand-curated content. They also offer summaries with code snippets, where applicable.

Snyk analyzes and tests all database items for accuracy. This includes version ranges, vulnerable methods, and more. Snyk also assigns a Common Vulnerability Scoring System (CVSS) score and vector to all vulnerabilities. All of these measures ensure you have the highest level of open-source security you can get while maintaining a seamless user experience.

Next Steps

Although open-source libraries offer many benefits, you must weigh their benefits against their licensing risks. The wide variety of licenses, and the dependencies within dependencies, make it nearly impossible for security teams to manage all the libraries and their dependencies across all the different projects they oversee.

Trend Micro Cloud One – Open Source Security by Snyk offers a reliable and cost-effective solution to open-source license risks. This security tool helps you trace vulnerabilities through hidden dependencies, categorizes their risk level, and suggests solutions. Your developers and security teams can quickly mitigate any licensing risks to get your new applications and features out to your end-users.

Although open-source licensing confusion can land your company in legal trouble, you can still enjoy open-source’s benefits while protecting your applications from the pangs of open-source vulnerabilities. To experience this comprehensive open-source license detection for yourself, explore a 30-day free trial of Trend Micro Cloud One – Open Source Security by Snyk.

If you’re interested in developing expert technical content that performs, let’s have a conversation today.




If you work in a tech space and aren’t sure if we cover you, hit the button below to get in touch with us. Tell us a little about your content goals or your project, and we’ll reach back within 2 business days. 

Share via
Copy link