Most organisations involved in software or hardware development still have no license auditing process for their codebase, according to JetBrains.
Anastasia Khramushina, writing for the developer tools specialist, said that organisations need to keep their dependency licenses in check to avoid legal and reputational damages stemming from licensing issues.
“If your business relies on open-source components or outsource development in your services, or if you as a developer reuse code from services like GitHub when working on company projects, your organisation could be at risk,” she said.
With the rising popularity of free software licensing such as the GNU General Public License (GPL), organisations may increasingly overlook more stringent licensing requirements around their use of software.
“Inappropriate use of the GPL can land businesses in legal trouble if they use code in the wrong way, deliberately or otherwise,” Khramushina said.
The GPL typically allows end users to run, study, share and modify software with the license. However, companies like Panasonic Avionics have fallen foul of the US courts, being sued by CoKinetic Systems for damages over $100m due to alleged misuse of GPL licensing.
“Nearly all organisations involved in software or hardware development still have no license auditing process for their codebase,” Khramushina said.
“There are many other cases like Welte v Fantec or Linksys v Free Software Foundation where a company or organisation neglected license auditing and had to suffer the consequences.”
Organisations cannot afford to miss a piece of unlicensed code ending up in their own product – but manual detection is difficult when developers, legal and security teams are working with multiple applications and licenses, she added.
“You can’t rule out the possibility of accidentally importing a restrictive-licensed library into a software codebase or forgetting to update an expired license,” Khramushina said.
“For developers, Qodana lists dependency licenses in an analysed repository and warns you about any problems concerning their compatibility with the project licenses,” Khramushina explained.