Indirect Dependencies Are Killing Open Source Licenses

Lifecycle management company White Source has presented new research that claims to be able to quantify the degree to which open source components depend on other open source libraries, especially where multiple different licenses are involved.

According to the research, in 91% of software projects some of the open source components imported by developers contained additional dependencies that were brought in by those components. More so, in 65% of the cases, open source components bring with them additional dependencies that are subject to a different license.

It is true that many software developers often rely on open source components, and most are actively tracking the licenses of these components to control potential risks and to ensure compliance with their requirements.

White Source claims that its survey shows that many developers only track and account for the components that they are using directly, so they are missing the libraries that these components depend on. Since the dependencies often use different licenses, they often overlook substantial risks and compliance requirements.

The company suggests that when lacking proper tools that detail all dependencies, developers are "almost surely" missing the large chain of open source libraries that are automatically imported with the open source components they use. As a result, decision makers are often not provided with full information, compliance is lacking, and risks are not properly accounted for and managed.

An exacerbating factor is that most companies rely on manual or semi-automated processes to research and report open source components and licenses, and often use static documents to track these. As a result, not only is it difficult and tediously laborious to identify dependencies and their licenses, it is also impossible to track changes over time. For example, an open source project that adds features and uses new dependencies to do so. It doesn't help that open source tracking is not a task that developers are fond of, to say the least.

"Correctly tracking and updating the open source inventory down to the last dependency is one of the most tedious and least favorite tasks for developers. Due to its complexity, it is almost never done properly, and most organizations rely on incomplete, stale, and often incorrect information," says White Source CEO Rami Sass.

According to a recent White Source research, based on 473 real software projects: the average software project contains 64 open source dependencies, and an average of 8 different open source licenses; 37% of all open source components depend on other open source libraries. The most complex software project had 1917 open source dependencies and most projects were subject to multiple licenses, with the maximum recorded at 26 licenses.

"White Source automatically identifies any new open source component that is added by a developer, and then immediately presents the entire dependency tree, down to the last library and license. We keep the information current, so we can notify customers of changes to existing components. As such, White Source enables customers to be on top of their entire open source inventory and licenses, all the time, while also relieving developers from the need to research and document all this information," said White Source's Rass.