Channels ▼

Open Source

Indirect Dependencies Are Killing Open Source Licenses

Lifecycle management company White Source has presented new research that claims to be able to quantify the degree to which open source components depend on other open source libraries, especially where multiple different licenses are involved.

More Insights

White Papers

More >>


More >>


More >>

According to the research, in 91% of software projects some of the open source components imported by developers contained additional dependencies that were brought in by those components. More so, in 65% of the cases, open source components bring with them additional dependencies that are subject to a different license.

It is true that many software developers often rely on open source components, and most are actively tracking the licenses of these components to control potential risks and to ensure compliance with their requirements.

White Source claims that its survey shows that many developers only track and account for the components that they are using directly, so they are missing the libraries that these components depend on. Since the dependencies often use different licenses, they often overlook substantial risks and compliance requirements.

The company suggests that when lacking proper tools that detail all dependencies, developers are "almost surely" missing the large chain of open source libraries that are automatically imported with the open source components they use. As a result, decision makers are often not provided with full information, compliance is lacking, and risks are not properly accounted for and managed.

An exacerbating factor is that most companies rely on manual or semi-automated processes to research and report open source components and licenses, and often use static documents to track these. As a result, not only is it difficult and tediously laborious to identify dependencies and their licenses, it is also impossible to track changes over time. For example, an open source project that adds features and uses new dependencies to do so. It doesn't help that open source tracking is not a task that developers are fond of, to say the least.

"Correctly tracking and updating the open source inventory down to the last dependency is one of the most tedious and least favorite tasks for developers. Due to its complexity, it is almost never done properly, and most organizations rely on incomplete, stale, and often incorrect information," says White Source CEO Rami Sass.

According to a recent White Source research, based on 473 real software projects: the average software project contains 64 open source dependencies, and an average of 8 different open source licenses; 37% of all open source components depend on other open source libraries. The most complex software project had 1917 open source dependencies and most projects were subject to multiple licenses, with the maximum recorded at 26 licenses.

"White Source automatically identifies any new open source component that is added by a developer, and then immediately presents the entire dependency tree, down to the last library and license. We keep the information current, so we can notify customers of changes to existing components. As such, White Source enables customers to be on top of their entire open source inventory and licenses, all the time, while also relieving developers from the need to research and document all this information," said White Source's Rass.

Related Reading

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.